[Freeipa-devel] [PATCH] self service aci
Pete Rowley
prowley at redhat.com
Tue Oct 30 17:48:56 UTC 2007
Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>>> Simo Sorce wrote:
>>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>>
>>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>>> || loginShell || homePhone || mobile || pager ||
>>>>> facsimileTelephoneNumber || telephoneNumber || street ||
>>>>> roomNumber ||
>>>>> l || st || postalCode || manager || description || carLicense ||
>>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>>
>>>> Allow users by default to change name (givenName, cn, sn), manager and
>>>> loginShell by themselves?
>>>>
>>>>
>>> loginShell might be a problem, what issue do you have with the others?
>>
>> Well I am not sure it makes sense to change your own name, why should
>> you?
>> Same for the manager, we might think of ACIs where manager=<something>
>> may matter
>>
>
> I agree about the name field, it shouldn't be user-modifiable (that is
> what HR is for). I think we should limit changes to phone number,
> address, license, shell, password, etc.
>
The basic philosophy here is "if it isn't an out and out security risk
allow it." Inherent in self service is some level of /trust/, or why
would we allow any attribute to be changed? If I can trust my employee
to change their phone number to something that will allow me to call
them, I think I can trust them not to arbitrarily rename themselves
Winston Churchill or some such. Still, there may be those that would,
and what do you suspect would happen in such cases? I suspect not good
things for the WC wannabe.
This default policy can be changed by the deployment if they disagree,
and some will.
I still need to go research login shell to see whether it matters.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/731a8dcf/attachment.bin>
More information about the Freeipa-devel
mailing list