[Freeipa-devel] Help define the roles IPA has by default
Rob Crittenden
rcritten at redhat.com
Thu Feb 10 16:12:31 UTC 2011
One of the features of IPAv2 is it is much easier to delegate
permissions to perform tasks (add, delete, modify, etc).
This delegation is broken out into three pieces:
* permissions
* privileges
* roles
A permission is a very low-level object that says who can do what to
whom. These permissions are grouped together into permissions so one can
perform a whole task. This is needed for something like adding a user
which requires a couple of different permission such as actually writing
the user entry, adding the user to the default group and setting the
password.
A role is a collection of privileges and the users/groups that are
granted those privileges.
Right now we are defining a single role, helpdesk, and have assigned no
privileges to that yet. I was thinking about just assigning it the
ability to reset passwords.
But what other roles do we need? The mind boggles and rather than
dictating what the initial ones will be I'm looking for some
guidance/suggestions.
thanks
rob
More information about the Freeipa-devel
mailing list