<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> On 04/15/2013 11:11 AM, Chandan Kumar wrote: <blockquote type="cite"> <div><br> </div> <div>I think controlling Visibility of tabs would be the best option, if possible, based on Roles as mentioned by Rob. As long as other entries are not visible in UI, even though they have read only access with command line, should be enough.</div> <br> </blockquote> <br> It would not be a security feature though. Just a convenience because the same admin would be able to bind directly to ldap and run a search. This is why we did not go this route. Yes we can hide panels but it would not mean that the user can't easily get that info. So is there really a value in hiding? So far we did not see any this is why we did not do it, but may be you have some arguments that might convince us that we are wrong. Can you please share these arguments with us?<br></div></blockquote><div><br></div><div style>I wasn't involved in this thread before now, however, in our case we do not allow LDAP access (only Kerberos and WebUI) from outside firewall so there *could* be a distinction between the two. I could also present that some users have been confused when they login to change their personal information and see a huge list of other users. Of course, they are directed to their information first upon login, however, we all know that one wrong click can always happen with some users.</div> <div style><br></div><div style>Perhaps it's better to just put together a new WebUI using the Python API, however, with the fantastic new password reset page in 3.x, I've become lazy and let users access IPA directly.</div> <div style><br></div><div style>Steve</div></div></div></div>