[Freeipa-devel] Help define the roles IPA has by default

[Jan Zeleny]

Rob Crittenden <rcritten at redhat.com> wrote:
> One of the features of IPAv2 is it is much easier to delegate
> permissions to perform tasks (add, delete, modify, etc).
> 
> This delegation is broken out into three pieces:
> 
>   * permissions
>   * privileges
>   * roles
> 
> A permission is a very low-level object that says who can do what to
> whom. These permissions are grouped together into permissions so one can
> perform a whole task. This is needed for something like adding a user
> which requires a couple of different permission such as actually writing
> the user entry, adding the user to the default group and setting the
> password.
> 
> A role is a collection of privileges and the users/groups that are
> granted those privileges.
> 
> Right now we are defining a single role, helpdesk, and have assigned no
> privileges to that yet. I was thinking about just assigning it the
> ability to reset passwords.
> 
> But what other roles do we need? The mind boggles and rather than
> dictating what the initial ones will be I'm looking for some
> guidance/suggestions.

I think a role called something like "IT" might be good. Their privileges 
would cover mainly access to different parts of the network. They should have 
privilegese to manage:
- hosts
- hostgroups
- hbac rules
- sudo rules?
- dns
- groups (for example to create new group of users which will have access to a 
particular machine)
- services

Now looking at the list, this group can be split into two - one managing the 
hosts/services and one granting users access.

Jan