One of the features of IPAv2 is it is much easier to delegate permissions to perform tasks (add, delete, modify, etc).

This delegation is broken out into three pieces:

 * permissions
 * privileges
 * roles

A permission is a very low-level object that says who can do what to whom. These permissions are grouped together into permissions so one can perform a whole task. This is needed for something like adding a user which requires a couple of different permission such as actually writing the user entry, adding the user to the default group and setting the password.

A role is a collection of privileges and the users/groups that are granted those privileges.

Right now we are defining a single role, helpdesk, and have assigned no privileges to that yet. I was thinking about just assigning it the ability to reset passwords.

But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions.



Freeipa-devel mailing list

Reply via email to