[Freeipa-devel] [PATCH 0049] Add support for protected tokens

Nathaniel McCallum npmccallum at redhat.com
Mon May 5 16:42:40 UTC 2014

This also constitutes a rethinking of the token ACIs after the
introduction of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret
data for tokens assigned to them, whether protected or non-protected.
Users can add or delete non-protected tokens and modify most of their
metadata. However they cannot create, delete or modify protected tokens.
Regardless of whether the token is protected or not, users cannot change
a token's ownership or unique identity.

In contrast, admins can create protected tokens. This protects the token
from deletion or modification when assigned to users. Additionally, when
a user account is deleted, the assigned non-protected tokens are deleted
but the protected tokens are merely orphaned. This permits the token to
be reassigned without having to recreate it. This last point is
particularly useful in the case of hardware tokens.


NOTE: This patch depends on my patch 0048.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0049-Add-support-for-protected-tokens.patch
Type: text/x-patch
Size: 13903 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140505/5050dc59/attachment.bin>

More information about the Freeipa-devel mailing list