On 02/11/2011 10:12 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 02/10/2011 07:25 PM, David O'Brien wrote: >>> Dmitri Pal wrote: >>>> On 02/10/2011 03:05 PM, Jakub Hrozek wrote: >>>>> On 02/10/2011 05:12 PM, Rob Crittenden wrote: >>>>>> But what other roles do we need? The mind boggles and rather than >>>>>> dictating what the initial ones will be I'm looking for some >>>>>> guidance/suggestions. >>>>>> >>>>>> thanks >>>>>> >>>>>> rob >>>>> I'm actually wondering if we need to define many default roles in the >>>>> upstream project. I'm thinking that every organization will have >>>>> different needs and different ways of role delegation anyway, so I >>>>> would rather make sure this feature is well documented with examples >>>>> and use cases. >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> I think that a reasonble set of 3 -5 roles and documentation how to >>>> change them should be sufficient. >>>> >>> I agree. On top of what Dmitri has already sent out, this thread is a >>> really good continuation of documenting delegation, permissions, >>> roles, etc., especially because this area is so different from v1. If >>> we look at it from two perspectives, one being What does IPA need to >>> function?, and the other being What do customers need?, then we can >>> probably come up with a short list and provide some basic use cases, >>> descriptions, and examples. >>> >>> Dmitri's list of 5 is good, although I would suggest settling on a >>> naming format, by which I mean rather than a combination of >>> person-based and role-based names, use a consistent format. Security >>> Architect& IPA Administrator are people (faiap), while Helpdesk is a >>> department. Anyway, you get the idea. >>> >>> We've already started with Name, Description, Goals; with a few use >>> cases I can put together short sections with links to existing docs on >>> how to use the relevant commands, or write them as needed. >>> >>> cheers >> Sounds like a good idea. >> > > Well, some of these roles don't really match what we are shipping in > v2. There is no place for Application Administrator at all and End > User is implicit. So that leaves 3 roles. If we go with these we'll > need to add some additional permissions/privileges to support it. > > If we go with this, here is what we're looking at. Also note that the > role "IPA Administrator" is distinct from the group cn=admins which > gives pretty much global access. Those that need additional > permissions/privileges are marked with the ticket number. > > * Security Architect > * IPA config (950) > * Replication > * Define delegation of roles to other, lower-level administrators > > * IPA Administrator > * Define and create groups (and delete?) > * Define the relationships between groups (what does this mean?) > * Define and create roles for users and groups (what does this mean?) > * Create nested groups (I don't know if we can have an aci for this) > > * Help Desk > * Review what groups are enabled on what hosts (what does this mean, > all groups are enabled on all hosts, right?)
This mean he can read HBAC rules > * Set up/manage a user's attributes > * Place a user in a specific group > * Reset a user password > > This is a good start but it completely leaves out the following: > > * Users (helpdesk can modify & reset password, nobody can add/delete) > * Host management > * Service management > * Hostgroups > * SUDO > * HBAC > * netgroups > * DNS > * Automount > > rob > How about this layout Helpdesk Engineer * Edit users * Reset passwords * Add/remove group membership * Troubleshoot the HBAC (in future but not modify the HBAC rules themselves) User administrator - the person who is responsible for creating users and groups. This is instead IPA administrator above. * Users - full control * Groups - full control IT Specialist * Hosts full control * Hostgroups full control * Services full control * DNS full control * Automount IT Security Specialist - includes all of the above + * Netgroups * SUDO * HBAC Security Architect * IPA config * Password policies * Kerberos config * Replication * Define delegation of roles to other, lower-level administrators Did I miss anything? > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel