On 02/10/2011 01:11 PM, Jan Zeleny wrote:
Rob Crittenden<rcrit...@redhat.com> wrote:
One of the features of IPAv2 is it is much easier to delegate
permissions to perform tasks (add, delete, modify, etc).
This delegation is broken out into three pieces:
* permissions
* privileges
* roles
A permission is a very low-level object that says who can do what to
whom. These permissions are grouped together into permissions so one can
perform a whole task. This is needed for something like adding a user
which requires a couple of different permission such as actually writing
the user entry, adding the user to the default group and setting the
password.
A role is a collection of privileges and the users/groups that are
granted those privileges.
Right now we are defining a single role, helpdesk, and have assigned no
privileges to that yet. I was thinking about just assigning it the
ability to reset passwords.
But what other roles do we need? The mind boggles and rather than
dictating what the initial ones will be I'm looking for some
guidance/suggestions.
I think a role called something like "IT" might be good. Their privileges
would cover mainly access to different parts of the network. They should have
privilegese to manage:
- hosts
- hostgroups
- hbac rules
- sudo rules?
- dns
- groups (for example to create new group of users which will have access to a
particular machine)
- services
Now looking at the list, this group can be split into two - one managing the
hosts/services and one granting users access.
Jan
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Desktop support: needs to be able to add a new host to the server.
Probably means they need delete host as well. Can't mess with the user
info. Right now, they would also need to be able to create the A
record, too.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
