Bill La Forge wrote:
I like to think of delegation as being a bit different than granting
permision--in fact, as a special permission that may include counts.
For example, you might delegate to a manager the ability to grant select
permissions. You may want to limit the number of users the manager may
grant these permissions to and perhaps allow that manager to further
delegate one more degree removed to project managers. Delegation then
has two counts associated with it--the total number of users to which a
permission may be granted and the depth of delegation permitted (often
0). Very handy when working accross trust domains, as may be the case
when a resource is for open source or involves multiple departments.
We have this concept in Solaris RBAC.
For example the authorisation for SMF solaris.smf.value.cde.login allows
you to change properties of the SMF service that starts dtlogin. It
does not allow you to give that authorisation to anyone else. The RBAC
authorisations are hierarchical so solaris.smf.value.cde would also
allow you to do that but still not to give it to others.
To give out to others you need the special "grant" authorisation, which
in this example would be one of the following:
solaris.grant # Grant all Solaris auths
solaris.smf.grant # Grant all SMF auths
solaris.smf.value.grant # Grant all SMF value auths
solaris.smf.value.cde.grant # Grant all CDE service SMF
solaris.smf.value.cde.login.grant # Grant just CDE login auth
I think it would be nice if we could have this same concept in ZFS.
It doesn't have to be the same syntax but the concept. Which is what I
think Bill is saying, separation of use from the ability to delegate to
others.
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss