Josh, I like your idea. It's always good to be able to give out only as much privilege as necessary.
Mike Mike Waldron Systems Specialist ITS Research Computing University of North Carolina at Chapel Hill CB 3420, ITS Manning, Rm 2509 919-962-9778 -----Original Message----- From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] Sent: Wednesday, November 03, 2010 1:59 PM To: vcl-dev@incubator.apache.org Subject: add manageMapping resource attribute to control resource mapping -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd like to add a new resource attribute for the resource group section of the privileges that would be used to control access to mapping resources. As things are now (using images/computers as an example), a user must have these rights at a node with corresponding resource groups attributes to control image group to computer group mapping: user: imageAdmin resource: image group: manageGroup user: computerAdmin resource: computer group: manageGroup However, this also grants the user access to control which images are in the image group and to control which computers are in the computer group. I'd like to add a new resource attribute that is called manageMapping that would allow access to resource mapping to be controlled separately from resource grouping. The benefit of this is that fewer computer groups can be used. Currently, if you want someone to be able to create their own image groups and map them to computer groups, then you have to create duplicate computer groups if you want to make sure they don't have access to remove computers from existing computer groups (which could end up making a computer unavailable because it might not be in any computer groups). Using this new attribute would make the above look like this: user: imageAdmin resource: image group: manageMapping user: computerAdmin resource: computer group: manageMapping and would not result in the user being able to control which images were in the image group and which computers were in the computer group. I'd like to hear feedback from the community on this to see what others think. Thanks, Josh - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAkzRovoACgkQV/LQcNdtPQMfSwCdEWoRgdlYeBN1RFs/84XE4FV0 XOEAn3Mif3ZbzNAHHv7vqv52h8JiQsPx =5Ir8 -----END PGP SIGNATURE-----