[Freeipa-users] User Roles and access in GUI
Petr Vobornik
pvoborni at redhat.com
Tue Apr 16 07:44:20 UTC 2013
On 04/16/2013 01:14 AM, Stephen Ingram wrote:
> On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 04/15/2013 11:11 AM, Chandan Kumar wrote:
>>
>>
>> I think controlling Visibility of tabs would be the best option, if
>> possible, based on Roles as mentioned by Rob. As long as other entries are
>> not visible in UI, even though they have read only access with command
>> line, should be enough.
>>
>>
>> It would not be a security feature though. Just a convenience because the
>> same admin would be able to bind directly to ldap and run a search. This is
>> why we did not go this route. Yes we can hide panels but it would not mean
>> that the user can't easily get that info. So is there really a value in
>> hiding? So far we did not see any this is why we did not do it, but may be
>> you have some arguments that might convince us that we are wrong. Can you
>> please share these arguments with us?
>>
>
> I wasn't involved in this thread before now, however, in our case we do not
> allow LDAP access (only Kerberos and WebUI) from outside firewall so there
> *could* be a distinction between the two. I could also present that some
> users have been confused when they login to change their personal
> information and see a huge list of other users. Of course, they are
> directed to their information first upon login, however, we all know that
> one wrong click can always happen with some users.
We might hide menu and breadcrumb navigation in self-service. Would that
help? Another possible problem is direct modification of url and thus
showing details of another user.
>
> Perhaps it's better to just put together a new WebUI using the Python API,
> however, with the fantastic new password reset page in 3.x, I've become
> lazy and let users access IPA directly.
>
> Steve
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list