On 25.07.2011 19:57, Jenny Galipeau wrote:
>> 1. No option specified. Default case, run simulation against all
>> IPA rules.
>> 2. --rules specified. Run simulation against only those rules in
>> 3. --rules and --enabled specified. Run simulation against all enabled
>> IPA rules _and_ additionally enable those in --rules. This is a case
>> testing new HBAC rules before going to production.
> If you are not going to target specific rules, do you still have to supply
> the --rules option on the command line? I would think just --enabled or
By default, if you don't supply --rules, --enabled, or --disabled, you
are targeting all enabled IPA rules (case 1 above). This is default
because this is what people would probably like to test: whether user is
able to access the service.
So, default one (no --rules, --enabled, or disabled) would imply --enabled.
>> During test simulation of such access granting it is important to
>> understand which rule has caused a problem, be it excessive access
>> or premature deny. '--detail' is an option which allows to see how
>> simulation went, which rules granted access and which denied.
> Got it , so maybe it was just the wording in the help output that confused
> me. "Details of the rule(s) being validated" ?
May be "Show which rules are passed, denied, and invalid"?
/ Alexander Bokovoy
Freeipa-devel mailing list