On 02/10/2011 09:42 PM, Rob Crittenden wrote:
One of the features of IPAv2 is it is much easier to delegate
permissions to perform tasks (add, delete, modify, etc).
This delegation is broken out into three pieces:
* permissions
* privileges
* roles
A permission is a very low-level object that says who can do what to
whom. These permissions are grouped together into permissions so one can
perform a whole task. This is needed for something like adding a user
which requires a couple of different permission such as actually writing
the user entry, adding the user to the default group and setting the
password.
A role is a collection of privileges and the users/groups that are
granted those privileges.
Right now we are defining a single role, helpdesk, and have assigned no
privileges to that yet. I was thinking about just assigning it the
ability to reset passwords.
But what other roles do we need? The mind boggles and rather than
dictating what the initial ones will be I'm looking for some
guidance/suggestions.
Thinking about helpdesk and whenever a user joins/leaves a company the
helpdesk needs the privileges to add/delete their user accounts.
I would suggest all the privileges like:
- creating users
- resetting passwords
- deleting users
- disabling user accounts
- unlocking user accounts
- modifying user accounts
Groups are something that are more involved with their respective
departments and can be left out for the administrators to decide on if
they would like to upgrade the helpdesk role/ or create new roles as per
their department listings.
thanks
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
regards
/shanks
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
