[Freeipa-users] User Roles and access in GUI

Dmitri Pal dpal at redhat.com
Mon Apr 15 13:31:19 UTC 2013 

On 04/12/2013 08:17 PM, Chandan Kumar wrote:
>
> Thanks for the response.
>
> The way we can turn off the anonymous bind in 389 Server. using
>  "nsslapd-allow-anonymous-access: off".
>
> Is there any way to limit the read access of user to only to the DNS
> entries? In that way I can create a user who could/will be able to
> see/edit DNS entries only.

In general yes though it is not standard because as I mentioned earlier
the tree is assumed to be readable to an authenticated user.
When user logs in the framework the UI or CLI will log into LDAP as a
user and try to do operations. It will need to read user entry and
groups and other things so closing read access to everything other than
DNS would not work. You can close access to some of the objects but not
to all of them.
It still unclear what is the harm in ability to read other parts of the
tree but not modify them.

To change the permissions you would have to user LDAP level ACI commands
as we do not expose these capabilities via CLI or UI but be careful as I
mentioned above you might end up hiding something that would prevent
framework from functioning properly.

>
> Thanks,
> Chandan
>
> On Friday, April 12, 2013, Dmitri Pal wrote:
>
>     On 04/12/2013 02:23 AM, Martin Kosek wrote:
>     > On 04/12/2013 01:07 AM, Chandan Kumar wrote:
>     >> Hello,
>     >>
>     >> I have a question regarding Uer Roles and Access in GUI. What I
>     have found that
>     >> irrespective of Role assigned to a user, he gets read only
>     access across the
>     >> directory.
>     >>
>     >> For example, I created one user say "dnsadmin" with only Roles
>     related to DNS
>     >> such as DNS Servers, DNS Administrator. Now that user has read
>     only access to
>     >> entire directory. Is there any way of controlling it?
>     >>
>     >>
>     >> Thanks,
>     >> Chandan
>     >>
>     > Hello Chandan,
>     >
>     > If you create a new role, assign "DNS Administrators" privilege
>     to it, and
>     > assign that role to user dnsadmin, that user will have write
>     access to DNS tree
>     > and configuration.
>     >
>     > Beyond that tree, dnsadmin will have read-only access just like
>     all other
>     > non-admin users. If you want dnsadmin to have write access also
>     to other
>     > entries, you would need to assign more privileges/roles to it.
>     >
>     > HTH,
>     > Martin
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users at redhat.com <javascript:;>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     If you are worried about the read access the LDAP data is
>     traditionally
>     readable by any authenticated user.
>     In the past is was even possible to read the tree as anonymous user
>     which is a bad security practice and not recommended.
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <javascript:;>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> -- 
>
> --
> http://about.me/chandank
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130415/489318ca/attachment.htm>

More information about the Freeipa-users mailing list