On 04/15/2013 11:11 AM, Chandan Kumar wrote:
> I think controlling Visibility of tabs would be the best option, if
> possible, based on Roles as mentioned by Rob. As long as other entries
> are not visible in UI, even though they have read only access with
> command line, should be enough.

It would not be a security feature though. Just a convenience because
the same admin would be able to bind directly to ldap and run a search.
This is why we did not go this route. Yes we can hide panels but it
would not mean that the user can't easily get that info. So is there
really a value in hiding? So far we did not see any this is why we did
not do it, but may be you have some arguments that might convince us
that we are wrong. Can you please share these arguments with us? 

> On Monday, April 15, 2013, Alexander Bokovoy wrote:
>     On Mon, 15 Apr 2013, Petr Spacek wrote:
>         On 15.4.2013 15:39, Rob Crittenden wrote:
>             There is no easy way to do this. We start with granting
>             all authenticated
>             users read access to the tree with the exception of
>             certain attributes (like
>             passwords).
>             You'd have to start by removing that, then one by one
>             granting read access to
>             the various containers based on, well, something.
>         Would it be possible to create a new role to allow current
>         'read-all access' and add this role to all users by default?
>         It could be much simpler to change the behaviour with this
>         role, or not? :-)
>     It would affect service accounts (include host/fqdn@REALM) since roles
>     cannot be applied to them, if I remember correctly. We would need to
>     make an exclusive ACI that allows all services to gain read only
>     access...
>     -- 
>     / Alexander Bokovoy
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users@redhat.com
>     https://www.redhat.com/mailman/listinfo/freeipa-users
> -- 
> --
> http://about.me/chandank
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to