[Freeipa-devel] [PATCH] add more delegation rules
Rob Crittenden
rcritten at redhat.com
Mon Mar 30 14:18:51 UTC 2009
Simo Sorce wrote:
> On Wed, 2009-03-25 at 11:17 -0400, Rob Crittenden wrote:
>> Fill in the ACIs and taskgroups for most of the plugins.
>>
>> This adds:
>> group administration
>> host administration
>> host group administration
>> delegation administration
>> service administration
>> automount administration
>> netgroup administration
>>
>> So far I've focused on granting write/add/del permissions. At some
>> point I may add in read/search ACIs as well.
>>
>> This still isn't going to, by default, allow one to grant write
>> access
>> to different containers as we still have a flat tree. The way that
>> can
>> be handled is by setting some attribute (say ou) to a value and then
>> adding that to the ACI. How one would do this without manually
>> updating
>> the ACI by hand is still up in the air. It may be that we still won't
>> support it directly but doing so will be a lot more possible in v2.
>
> ack
>
> although I wonder if just allowing 'add'/'delete' is always sufficient
> and you don't need 'write' ?
>
> Simo.
>
add lets you write any attribute during entry creation. Likewise delete
permission lets you delete an entire entry, even if you lack write
permission on one or more of the attributes.
rob
More information about the Freeipa-devel
mailing list