[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] Creating Delegations in IPA




Pete Rowley wrote:
> David O'Brien wrote:
>> This was a bit confusing, but I think I know what is happening...
>>
>> When you add a delegation in IPA, it first asks for a Name. My first
>> reaction was "who is the delegate?" but discovered that it means "What
>> are you going to call this delegation?"
>>
>>  + Suggestion:  Delegation Name:
>>
>> Then, "People in Group"
>> These are the people you're going to delegate certain tasks or abilities
>> to. You don't delegate to a person, only a group. If you want to
>> delegate to only one person, you have to create a group for that person.
>>
>>  + Does it have to work this way? Could it not be "User or Group"?
>>   
> Any time you want to delegate some responsibility to a single user or
> over a single user you should be asking yourself what the relationship
> really is at the abstract level e.g. is this a local admin having the
> ability modify local people, an office manager allowed to change office
> fax numbers? People change, they leave, they change roles, but the role
> and it's abilities stay more or less the same, and should be the same
> for one person in that role, or the 3 people you need in that role next
> month.
> 
> It is harder to maintain a directory access control system that has not
> had this level of thinking and just as hard when the thinking is done
> but not expressed in an easily digested (or portable) format. For
> example, the admin that inherits the system might not know why joe
> should be able to modify all of bills attributes, whereas IPA
> Engineering Manager being able to modify attributes of IPA Engineer
> gives some clues about why the aci is there and that it is justified. In
> addition, when joe gets promoted and is replaced by bob, there is no
> need to change anything about access control since when the group
> shuffle happens the right privileges shuffle with them.
> 
> So in effect we are strongly discouraging the one off aci in order to
> save people from themselves.

Yes, this makes sense. When I write about this I'll be sure to include
some examples that explain this. thanks

>> "For People in Group"
>> I didn't realize straight off, but you can specify that the delegation
>> only apply to specific groups. If you want to add a delegation that
>> applies across everyone, you would have to create a group that contained
>> everyone, right?
>>   
> We should probably allow certain default cases like "everyone" - we
> shouldn't need a group.
>> There's probably a good reason that it works the way it does, but that
>> was my initial reaction when I used it.
>>
>> Comments/elaborations?
>>
>> cheers
>>  
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel redhat com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 

-- 

David O'Brien <mailto:daobrien redhat com>
RHCT
PGP-KeyID: 0x443CBA7B


Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]