[Freeipa-devel] Stage users - inconsistent permission names

David Kupka dkupka at redhat.com
Wed Jun 10 08:01:53 UTC 2015 

On 06/10/2015 09:12 AM, Martin Kosek wrote:
> Hello Thierry/David,
>
> I saw the new privileges and permissions for the Staged Users functionality and
> found couple spelling/English issues that I think we should fix before Alpha/GA
> so that we can just rename them and not care about upgrade changes.
>
> Namely:
>
> # ipa permission-find stage | grep -i "Permission name"
>    Permission name: System: Add Stage Users by Provisioning and Administrators
>
> Should be "System: Add Stage User"
>
> Permission should not care who will do it, it is privilege/role's job.
>
>    Permission name: System: Delete modify Stage Users by administrators
>
> Why is Modify and Delete combined in 1 permission?
>
> Should be "System: Modify Stage User" and "System: Remove Stage User"
>
>    Permission name: System: Preserve an active user to a delete Users
>
> Maybe "System: Preserve User"? We do not use "deleted users" bur rather
> "preserved users anyway"
>
>    Permission name: System: Reactive delete users
>
> "System: Undelete User" to reflect the command name.
>
>    Permission name: System: Read Stage User kerberos principal key and password
>
> Rather "System: Read Stage User password" - I do not think we need to call out
> the principal key explicitly, but this is negotiable.
>
>    Permission name: System: Read Stage Users by administrators
>
> "System: Read Stage Users"
>
>    Permission name: System: Read/Write delete Users by administrators
>
> This needs to be 2 permissions:
>
> "System: Read Preserved Users"
> "System: Modify Preserved Users"
>
>    Permission name: System: Reset userPassord and kerberos keys of delete users
> by administrator
>
> Rather "System: Reset Preserved User password"
>
>    Permission name: System: Write Active Users RDN by administrators
>
> Rather "System: Modify User RDN"
>
>    Permission name: System: Write Delete Users RDN by administrators
>
> Why is this permission needed, isn't "System: Modify Preserved Users" enough?
>
Hello,
it's probably my fault, I should have paid more attention when reviewing 
the patch set. I created ticket 
https://fedorahosted.org/freeipa/ticket/5057 and can fix it.

-- 
David Kupka

More information about the Freeipa-devel mailing list