[Freeipa-users] Granting rights temporarily
Dag Wieers
dag at wieers.com
Thu Feb 14 15:57:46 UTC 2013
On Thu, 14 Feb 2013, Alexander Bokovoy wrote:
> On Thu, 14 Feb 2013, Dag Wieers wrote:
>
>> So I was wondering whether this is something that was already discussed as
>> a feature for IPA ?
> Yes, something along these lines was discussed in past.
> We have three tickets so far in deferred state:
> https: //fedorahosted.org/freeipa/ticket/547
> https: //fedorahosted.org/freeipa/ticket/548
> https: //fedorahosted.org/freeipa/ticket/3127
>
> A problem with time-based access management is to consider its locality.
> Time-limited rules all stored centrally but applied locally and
> timezones play important role in messing things up.
>
> We also wanted to develop solution which would be scalable and easier to
> integrate with visual tools to edit recurrent events, thus ideas towards
> use of iCalendar (RFC5545 and RFC5546) format.
>
> From FreeIPA perspective application of rules would be done by SSSD and
> its plugins to various applications (sudo, SELinux enforcement, etc).
> FreeIPA itself would provide storage and means to edit the rules, both
> in command line and web UI.
Thanks for the feedback. Obviously I didn't consider all the use-cases
yet, but what you describe would fulfill the security recommendation.
I'd like to start a feature proposal, however I am not sure if I am best
placed to do it given there has obviously been discussions about it
already (and our use-case is rather limited).
Let me know if you see any value.
--
-- dag wieers, dag at wieers.com, http://dag.wieers.com/
-- dagit linux solutions, info at dagit.net, http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
More information about the Freeipa-users
mailing list