[Freeipa-devel] Help define the roles IPA has by default
Adam Young
ayoung at redhat.com
Thu Feb 10 18:49:08 UTC 2011
On 02/10/2011 01:11 PM, Jan Zeleny wrote:
> Rob Crittenden<rcritten at redhat.com> wrote:
>> One of the features of IPAv2 is it is much easier to delegate
>> permissions to perform tasks (add, delete, modify, etc).
>>
>> This delegation is broken out into three pieces:
>>
>> * permissions
>> * privileges
>> * roles
>>
>> A permission is a very low-level object that says who can do what to
>> whom. These permissions are grouped together into permissions so one can
>> perform a whole task. This is needed for something like adding a user
>> which requires a couple of different permission such as actually writing
>> the user entry, adding the user to the default group and setting the
>> password.
>>
>> A role is a collection of privileges and the users/groups that are
>> granted those privileges.
>>
>> Right now we are defining a single role, helpdesk, and have assigned no
>> privileges to that yet. I was thinking about just assigning it the
>> ability to reset passwords.
>>
>> But what other roles do we need? The mind boggles and rather than
>> dictating what the initial ones will be I'm looking for some
>> guidance/suggestions.
> I think a role called something like "IT" might be good. Their privileges
> would cover mainly access to different parts of the network. They should have
> privilegese to manage:
> - hosts
> - hostgroups
> - hbac rules
> - sudo rules?
> - dns
> - groups (for example to create new group of users which will have access to a
> particular machine)
> - services
>
> Now looking at the list, this group can be split into two - one managing the
> hosts/services and one granting users access.
>
> Jan
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Desktop support: needs to be able to add a new host to the server.
Probably means they need delete host as well. Can't mess with the user
info. Right now, they would also need to be able to create the A
record, too.
More information about the Freeipa-devel
mailing list