[Freeipa-devel] Notes and questions for fine-grained read permissions
Jan Cholasta
jcholast at redhat.com
Fri Sep 6 06:27:40 UTC 2013
On 5.9.2013 19:48, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> # External users & system accounts
>>
>> I'm not sure how to handle external users here, since they're not added
>> to any group. Either we'll need a special ACI for them, or somehow make
>> it possible to add non-group sets of users to Roles.
>>
>> The same goes for system accounts, except those aren't even implemented
>> in IPA yet (https://fedorahosted.org/freeipa/ticket/2801).
>
> I think they would have to be part of a group. Otherwise 389-ds has
> nothing to evaluate against (and even with groups I'm not 100% sure
> it'll work).
Once external users are mapped to entries in the directory
(https://fedorahosted.org/freeipa/ticket/3242), they can be handled more
or less the same way as internal users.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list