[Freeipa-users] Attributes on groups
Stefan Stefansson
stefan at ru.is
Mon Feb 23 14:25:02 UTC 2009
Hello.
In my situation, I have a number of entities that will be deploying
the same set of services. For simplicity, let's call these entities
departments although that's not strictly the case in our situation.
So each department will deploy a Subversion server, Wiki and possibly
some other services.
We're planning on having as much delegation of the administration work
as possible, by having for example department heads have wiki admin
rights and the rights to define SVN permissions for their departments
SVN.
My question is basically, what is the best way of doing this?
What we currently have in a very small proof of concept deployment is
creating groups that reflect all the different roles in their names,
for example:
"cs-wiki-admin" (an administrator for the wiki of the School of
Computer Science)
"humanobs-wiki-admin" (same as above but only for the humanobs project)
"cs-svn-admin" (someone who can administer the whole CS SVN repository)
... etc, you get the point.
An example shows how complicated the group names can become:
cs-svn-foobar-auditor, could be someone with "auditor" rights on a
single project (foobar) inside the CS SVN repository.
This can get out of control pretty quickly if/when project owners
start wanting to do finer grained access controls.
Another problem that I see with this has to do with delegation. How do
I specify that anybody in the humanobs-admin group can add users to
and define permissions on groups that have a name that starts with the
prefix "humanobs-".
So, the question is, is it possible to do this more conveniently? Can
I create multiple groups called "admin" where each one is somehow
distinct from the others by specifying the department/project it
applies to somehow? The Humanobs "admin" group would then only be able
to control things within the Humanobs project. One could even think of
having a "wiki-admin" and a "svn-admin" groups and an "admin"
supergroup for each of the projects/departments.
I'm hoping for some discussion about this. If anyone has experience
with something similar I'd love to hear about it and how it's working
out. Discussion of the pros/cons of each method would be great.
Best regards, Stefan Freyr.
More information about the Freeipa-users
mailing list