[Freeipa-devel] [PATCH] add more delegation rules
Simo Sorce
ssorce at redhat.com
Fri Mar 27 20:09:02 UTC 2009
On Wed, 2009-03-25 at 11:17 -0400, Rob Crittenden wrote:
> Fill in the ACIs and taskgroups for most of the plugins.
>
> This adds:
> group administration
> host administration
> host group administration
> delegation administration
> service administration
> automount administration
> netgroup administration
>
> So far I've focused on granting write/add/del permissions. At some
> point I may add in read/search ACIs as well.
>
> This still isn't going to, by default, allow one to grant write
> access
> to different containers as we still have a flat tree. The way that
> can
> be handled is by setting some attribute (say ou) to a value and then
> adding that to the ACI. How one would do this without manually
> updating
> the ACI by hand is still up in the air. It may be that we still won't
> support it directly but doing so will be a lot more possible in v2.
ack
although I wonder if just allowing 'add'/'delete' is always sufficient
and you don't need 'write' ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list