[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission

Martin Kosek mkosek at redhat.com
Wed Apr 9 15:17:31 UTC 2014

On 04/09/2014 04:54 PM, Petr Viktorin wrote:
> The meta-permissions.


> Read access is given to all authenticated users. Reading membership info (i.e.
> privileges) is split into a separate permission.
> Another permission is added that allows read access to all ACIs.
> If we don't want to open that up for everyone, I could limit this to only ACIs
> containing "permission:". (Since old-style permissions store their information
> in ACIs, their ACIs need to be readable.)

If I read the notes from our DevConf discussion correctly, there are some

1) We decided to not do special membership permission for
permission/privilege/role permissions.

2) We decided to give read access to permissions, privileges and roles only to
member of a certain privilege. Is there any reason to not do that? IMO, regular
users do not need to be able to read the permission/privilege/role
configuration of a FreeIPA installation to use it for IdM.


More information about the Freeipa-devel mailing list