Rob Crittenden <rcrit...@redhat.com> wrote: > One of the features of IPAv2 is it is much easier to delegate > permissions to perform tasks (add, delete, modify, etc). > > This delegation is broken out into three pieces: > > * permissions > * privileges > * roles > > A permission is a very low-level object that says who can do what to > whom. These permissions are grouped together into permissions so one can > perform a whole task. This is needed for something like adding a user > which requires a couple of different permission such as actually writing > the user entry, adding the user to the default group and setting the > password. > > A role is a collection of privileges and the users/groups that are > granted those privileges. > > Right now we are defining a single role, helpdesk, and have assigned no > privileges to that yet. I was thinking about just assigning it the > ability to reset passwords. > > But what other roles do we need? The mind boggles and rather than > dictating what the initial ones will be I'm looking for some > guidance/suggestions.
I think a role called something like "IT" might be good. Their privileges would cover mainly access to different parts of the network. They should have privilegese to manage: - hosts - hostgroups - hbac rules - sudo rules? - dns - groups (for example to create new group of users which will have access to a particular machine) - services Now looking at the list, this group can be split into two - one managing the hosts/services and one granting users access. Jan _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
