[Freeipa-devel] Separating admin policy create role from deploy role
Dmitri Pal
dpal at redhat.com
Wed Jan 28 19:19:18 UTC 2009
Nathan Kinder wrote:
> Karl Wirth wrote:
>> Hi,
>>
>> With IPA v2, I think we should make it easy for an organization to
>> set up the following two different admin roles:
>> 1) Able to create a policy but can't deploy it
>> 2) Able to check and deploy a policy but not create it.
>> I think this fits with the controls many organizations have.
>>
>> Might it be possible to accomplish this using the DS ACIs to
>> restrict access to the policies and the policy links?
> We could handle this using ACIs in DS depending on how a policy is
> "deployed". If we have a particular attribute that is used as a flag
> to "deploy" the policy, user #2 could have write access to this one
> attribute in the policy portion of the tree while being able to read
> the rest of the policy for checking.
>
> User #1 would be able to write all of the policy attributes except for
> the "deploy" flag attribute.
Yes. We have this scenario in mind and yes there is an attribute that we
can key off.
>>
>> Best regards,
>> Karl
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list