[Freeipa-devel] Access control
Pete Rowley
prowley at redhat.com
Tue Sep 11 19:50:00 UTC 2007
Karl MacMillan wrote:
>
> I have some questions:
>
> How do we control which users / groups a user can modify or read? The
> FDS ACI allow all sorts of control over which entry a user can access
> (by DN, ldap search, etc.). I'd like to present enough power while
> keeping things simple.
The model is the members of group X can do Y to the members of group Z.
That is the simplification and the reason for the memberof plugin (there
was no way to express "to the members of group Z" prior to that).
> How can we determine what access a user has without trying an action?
> This is needed for presenting editing forms that don't allow you to make
> modifications of entries you're not allowed to edit.
>
>
I have a bug open for Get Effective Rights control to address
deficiencies in that control when trying to find out what the user is
allowed to do (can't get to bugzilla right now).
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070911/f2cc9cb4/attachment.bin>
More information about the Freeipa-devel
mailing list