[Freeipa-devel] Help define the roles IPA has by default

Gowrishankar Rajaiyan grajaiya at redhat.com
Thu Feb 10 17:41:26 UTC 2011


On 02/10/2011 09:42 PM, Rob Crittenden wrote:
> One of the features of IPAv2 is it is much easier to delegate
> permissions to perform tasks (add, delete, modify, etc).
>
> This delegation is broken out into three pieces:
>
> * permissions
> * privileges
> * roles
>
> A permission is a very low-level object that says who can do what to
> whom. These permissions are grouped together into permissions so one can
> perform a whole task. This is needed for something like adding a user
> which requires a couple of different permission such as actually writing
> the user entry, adding the user to the default group and setting the
> password.
>
> A role is a collection of privileges and the users/groups that are
> granted those privileges.
>
> Right now we are defining a single role, helpdesk, and have assigned no
> privileges to that yet. I was thinking about just assigning it the
> ability to reset passwords.
>
> But what other roles do we need? The mind boggles and rather than
> dictating what the initial ones will be I'm looking for some
> guidance/suggestions.

Thinking about helpdesk and whenever a user joins/leaves a company the 
helpdesk needs the privileges to add/delete their user accounts.

I would suggest all the privileges like:
- creating users
- resetting passwords
- deleting users
- disabling user accounts
- unlocking user accounts
- modifying user accounts

Groups are something that are more involved with their respective 
departments and can be left out for the administrators to decide on if 
they would like to upgrade the helpdesk role/ or create new roles as per 
their department listings.

> thanks
>
> rob
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
regards
/shanks




More information about the Freeipa-devel mailing list