[Freeipa-devel] [PATCH] a step closer to the final directory layout
Andrew C. Dingman
adingman at redhat.com
Thu Aug 30 14:35:30 UTC 2007
On Thu, 2007-08-30 at 09:50 -0400, Simo Sorce wrote:
> This will require a lot of testing, whitelisting is much more
> difficult
> then just blacklisting, and will require admins to put their hands in
> the ACI as soon as they want to extend the schema, so I am unsure if
> this in practice would be wise, while I agree it would be better
> security wise.
>
As an admin (now an instructor), I'm pretty sure that anyone who is
extending schema darn well ought to be capable of editing ACIs to match.
Being able to set permissions for data access is a core administrator
skill, IMO, essentially regardless of what you are administering. I
consider schema extension/modification to be a more advanced skill, and
it's one that we encourage students in 423 to use sparingly if at all.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070830/9b75b59b/attachment.sig>
More information about the Freeipa-devel
mailing list