[Freeipa-users] Overall Design of Policy Related Components
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Nov 1 08:09:02 UTC 2011
> We decided to back away from trying to provide central RBAC. Our
> experience with multiple projects revealed that there is no one size fits all solution regarding
> RBAC. But we were talking about geral Role
> base access control model not specific RBAC as Solaris implemented it. The Solaris RBAC is similar
> to sudo and HBAC combined together. Both features are managed by IPA. We also have SELinux policies
> on Linux that can constrain the root access. The user SELinux roles management is on the roadmap
> but HBAC + SUDO should give you the equivalent if not more functionality than
> Solaris RBAC.
It's a false statement that Solaris RBAC is like sudo and HBAC combined. There so much more
options in the Solaris RBAC when it comes to such as limiting/granting cpu/memory resources, OS
privileges, based on a group, a project, a user, a service, etc.
Besides, RBAC comes with Solaris, sudo need to be installed.
And as I understand it, SSSD is required to installed on Solaris to implement the HBAC rules from
IPA?
Rgds,
Siggi
More information about the Freeipa-users
mailing list