[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies
Standa Laznicka
slaznick at redhat.com
Thu Sep 1 14:35:23 UTC 2016
On 09/01/2016 03:06 PM, Simo Sorce wrote:
> On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote:
>> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule
>> upon
>> addition of a time rule to a certain HBAC rule.
> Honestly I am against this.
>
> If you really want the two objects to be incompatible then you tell the
> admin he can't add time rules to old objects.
> The new object type should clearly identified as a new rule type and the
> admin will have to create a new rule of the correct type and
> remove/disable or retain the old rule as he prefers.
>
> I do not think we should ever try to switch objectclasses dynamically.
>
> Simo.
>
A child's question: why not?
Also, should it come to life like you propose, what would you expect the
user interface to be like?
More information about the Freeipa-devel
mailing list