On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: > JR Aquino wrote: >> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >> >>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to >>> simplify the auditing of users for their indirect membership to their >>> authorization rights. >>> >>> An Administrator should have the ability to quickly identify the rights a >>> user will have in the system. >>> >>> For example. With the patch added, my user show looks like this: >>> >>> # ipa user-show tester --all >>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>> User login: tester >>> First name: Tester >>> Last name: Engineering >>> Full name: Tester Engineering >>> Display name: Tester Engineering >>> Initials: TE >>> Home directory: /home/tester >>> GECOS field: Tester Engineering >>> Login shell: /bin/sh >>> Kerberos principal: tes...@example.com >>> UID: 1829800388 >>> GID: 1829800388 >>> Account disabled: False >>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>> krbpwdpolicyreference: >>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>> memberofindirect_HBAC rule: development >>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, >>> AUTO-dev-deploy-tools_ZENOSS, build-integration >>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, >>> posixaccount >>> >>> <freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________ >>> Freeipa-devel mailing list >>> Freeipafirstname.lastname@example.org >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> OPPS, forgot to have PATCH in the subject. >> > > I think you need this as well, right? > > - 'memberof': ['group', 'netgroup', 'role'], > + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Yes, you are right, the users can individually be assigned to rules directly.
_______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel