<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 04/15/2013 11:11 AM, Chandan Kumar wrote:
<blockquote
cite="mid:CAD=CKMDobf16aE0fz_4xsp_H8MZS52HbUp9L_F664DnCVxw8iA@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>I think controlling Visibility of tabs would be the best
option, if possible, based on Roles as mentioned by Rob. As long
as other entries are not visible in UI, even though they have
read only access with command line, should be enough.</div>
<br>
</blockquote>
<br>
It would not be a security feature though. Just a convenience
because the same admin would be able to bind directly to ldap and
run a search. This is why we did not go this route. Yes we can hide
panels but it would not mean that the user can't easily get that
info. So is there really a value in hiding? So far we did not see
any this is why we did not do it, but may be you have some arguments
that might convince us that we are wrong. Can you please share these
arguments with us? <br>
<br>
<blockquote
cite="mid:CAD=CKMDobf16aE0fz_4xsp_H8MZS52HbUp9L_F664DnCVxw8iA@mail.gmail.com"
type="cite"><br>
On Monday, April 15, 2013, Alexander Bokovoy wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, 15 Apr
2013, Petr Spacek wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On 15.4.2013 15:39, Rob Crittenden wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
There is no easy way to do this. We start with granting all
authenticated<br>
users read access to the tree with the exception of certain
attributes (like<br>
passwords).<br>
<br>
You'd have to start by removing that, then one by one
granting read access to<br>
the various containers based on, well, something.<br>
</blockquote>
<br>
Would it be possible to create a new role to allow current
'read-all access' and add this role to all users by default?<br>
<br>
It could be much simpler to change the behaviour with this
role, or not? :-)<br>
</blockquote>
It would affect service accounts (include host/fqdn@REALM) since
roles<br>
cannot be applied to them, if I remember correctly. We would
need to<br>
make an exclusive ACI that allows all services to gain read only
access...<br>
<br>
-- <br>
/ Alexander Bokovoy<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
<br>
<br>
-- <br>
<br>
<div>--</div>
<div><a moz-do-not-send="true" href="http://about.me/chandank"
target="_blank">http://about.me/chandank</a><br>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>