[Freeipa-users] Granting rights temporarily

[Alexander Bokovoy]

On Thu, 14 Feb 2013, Dag Wieers wrote:
>Hi,
>
>Another interesting recommendation from security is that all granted 
>access (that is exceptional, rather than permanent) should be limited 
>in time from the onset.
>
>If this is not possible all granted access needs to be documented and 
>revised regularly. However a system that would automatically revoke 
>access after a certain period is preferred from a 
>security/administrative perspective. (Period to be defined when 
>granting access)
>
>This would mean that e.g. sudo-rules, group memberships, etc. could 
>have due dates and that IPA ensures that these rights are revoked in 
>due time.
>
>So I was wondering whether this is something that was already 
>discussed as a feature for IPA ?
Yes, something along these lines was discussed in past.
We have three tickets so far in deferred state:
https://fedorahosted.org/freeipa/ticket/547
https://fedorahosted.org/freeipa/ticket/548
https://fedorahosted.org/freeipa/ticket/3127

A problem with time-based access management is to consider its locality.
Time-limited rules all stored centrally but applied locally and
timezones play important role in messing things up.

We also wanted to develop solution which would be scalable and easier to
integrate with visual tools to edit recurrent events, thus ideas towards
use of iCalendar (RFC5545 and RFC5546) format.

 From FreeIPA perspective application of rules would be done by SSSD and
its plugins to various applications (sudo, SELinux enforcement, etc).
FreeIPA itself would provide storage and means to edit the rules, both
in command line and web UI.

We haven't started working on the topic yet because there were (and
currently are) numerous other tasks with slightly higher priority. Any
contribution in the are is welcomed, even in form of thinking out and
writing down feature proposal, based on a template at
http://www.freeipa.org/page/Feature_template

-- 
/ Alexander Bokovoy