[Freeipa-devel] question about permissions, etc., in groups

Simo Sorce ssorce at redhat.com
Tue Dec 4 14:11:44 UTC 2007 

On Tue, 2007-12-04 at 11:04 +1000, David O'Brien wrote:
> Rob Crittenden wrote:
> > David O'Brien wrote:
> >> I read in a thread somewhere that if you deactivate a group, then all
> >> members of that group are also deactivated. The exception being that if
> >> a user is a member of another group that is active, then that user is
> >> still active.
> >>
> >> 1: all users are members of ipauser, right? Can they be removed from
> >> that group? If I and several hundred other users are in GroupA, GroupB,
> >> etc., as well as in ipausers, and you deactivate all but ipausers, then
> >> all that's happened is you've deactivated a bunch of groups. Ah...  with
> >> those groups deactivated, any permissions/delegations that were
> >> associated with those groups go away too. (yes, I'm thinking out
> >> loud...) Did I miss anything else?
> > 
> > Right, by deactivating those groups you deactivate all the users in
> > those groups as well as any groups that may be a member (and thus those
> > members).
> 
> So it's not what I thought?  If I'm in GroupA and GroupB and you
> deactivate either one, I'm deactivated, period? I thought you stayed
> active as long as you were in an active group.

No, it wouldn't make sense.
Think how difficult would be to be sure all members of a specific group
are inactivated if your reasoning were true.

> > 
> >> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
> >> GroupA, which means I can edit any user in France, but not in Germany.
> >> I'm also in GroupB, which says I can edit Germany but not France. Or
> >> should the administrator be smarter than that?
> > 
> > I believe that deny overrules allow in FDS ACIs. So if you hit any deny
> > along the way of determining permission you are denied.
> 
> ok, I'll write it up as such unless I hear otherwise.

Inactivation is prevalent, unless you specifically override the
attribute manually on the specific user.

(As others have said, we need to test, but if this is not what we get we
need to raise a bug)

Simo.

-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |

More information about the Freeipa-devel mailing list