[Freeipa-users] Attributes on groups

[Rob Crittenden]

Stefan Stefansson wrote:
> Hello.
> 
> In my situation, I have a number of entities that will be deploying
> the same set of services. For simplicity, let's call these entities
> departments although that's not strictly the case in our situation.
> 
> So each department will deploy a Subversion server, Wiki and possibly
> some other services.
> 
> We're planning on having as much delegation of the administration work
> as possible, by having for example department heads have wiki admin
> rights and the rights to define SVN permissions for their departments
> SVN.
> 
> My question is basically, what is the best way of doing this?
> 
> What we currently have in a very small proof of concept deployment is
> creating groups that reflect all the different roles in their names,
> for example:
> 
> "cs-wiki-admin" (an administrator for the wiki of the School of
> Computer Science)
> "humanobs-wiki-admin" (same as above but only for the humanobs project)
> 
> "cs-svn-admin" (someone who can administer the whole CS SVN repository)
> ... etc, you get the point.
> 
> An example shows how complicated the group names can become:
> cs-svn-foobar-auditor, could be someone with "auditor" rights on a
> single project (foobar) inside the CS SVN repository.
> 
> This can get out of control pretty quickly if/when project owners
> start wanting to do finer grained access controls.
> 
> Another problem that I see with this has to do with delegation. How do
> I specify that anybody in the humanobs-admin group can add users to
> and define permissions on groups that have a name that starts with the
> prefix "humanobs-".
> 
> So, the question is, is it possible to do this more conveniently? Can
> I create multiple groups called "admin" where each one is somehow
> distinct from the others by specifying the department/project it
> applies to somehow? The Humanobs "admin" group would then only be able
> to control things within the Humanobs project. One could even think of
> having a "wiki-admin" and a "svn-admin" groups and an "admin"
> supergroup for each of the projects/departments.
> 
> I'm hoping for some discussion about this. If anyone has experience
> with something similar I'd love to hear about it and how it's working
> out. Discussion of the pros/cons of each method would be great.
> 
> Best regards, Stefan Freyr.

Unfortunately IPA doesn't supported this type of fine-grained access 
control yet but it is something we're planning to add in the next major 
release.

The current delegation just assigns write access for a predefined set of 
attributes from group A to group B. It doesn't provide control over 
discrete parts of the tree, support for controlling who can add/remove 
entries, etc.

The new system will provide the ability to delegate entry management 
(add, delete, etc) but that too will be global. We would need to add the 
concept of user containers to IPA to be able to delegate this level of 
user management. Right now all users are written to the same place in 
the DIT so if you have add access there you can add a user.

It sounds what you'd like is to be able to create separate areas in the 
LDAP tree to separate users, is that right?

rob