[Freeipa-devel] "Commit comments log" functionality in IPA
Nathan Kinder
nkinder at redhat.com
Thu Nov 6 19:21:04 UTC 2008
Dmitri Pal wrote:
> Simo Sorce wrote:
>> On Thu, 2008-11-06 at 10:56 -0500, Dmitri Pal wrote:
>>
>>> Simo Sorce wrote:
>>>
>>
<snip>
>>>>> - Anyone with write access to the attribute will be able to change
>>>>> the
>>>>> contents, making them generally completely useless as audit trails.
>>>>> Delegation of any minor task would require write access to
>>>>> comments all
>>>>> over the place.
>>>>>
>>>>
>>> No. The whole idea is to make it non-editable at all. Only add.
>>>
>>
>> Exactly this is something that does not exist in the LDAP model, nor in
>> the ACI model we have.
>>
> I am pretty sure the plugin can take care of that. If not I would
> agree that this is not a good idea.
> Nathan? Rich?
The plug-in could easily take care of this by intercepting operations on
the comment attribute at the pre-op stage. That said,
I belive that this can be accomplished by using the "targattrfilters"
keyword in an ACI. You can allow one to add values
for a targetted attribute, but not delete and values. Doing a replace
operation requires both "add" and "del" privileges, so
simply giving someone "add" privileges only for the comment attribute
would acheive the desired result.
>
>>
>>> Only later we might start diving into ACIs and deal with the
>>> complexity of editing the data by admins that have different levels
>>> of privileges.
>>>
<snip>
>> Simo.
>>
>>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list