On 07/25/2011 01:01 PM, Alexander Bokovoy wrote:
> On 25.07.2011 19:57, Jenny Galipeau wrote:
>>> 1. No option specified. Default case, run simulation against all
>>> enabled
>>> IPA rules.
>>>
>>> 2. --rules specified. Run simulation against only those rules in
>>> --rules.
>>>
>>> 3. --rules and --enabled specified. Run simulation against all enabled
>>> IPA rules _and_ additionally enable those in --rules. This is a case
>>> of
>>> testing new HBAC rules before going to production.
>> If you are not going to target specific rules, do you still have to supply 
>> the --rules option on the command line?  I would think just --enabled or 
>> --disabled?

--rules is needed to specify additional rules.


> By default, if you don't supply --rules, --enabled, or --disabled, you
> are targeting all enabled IPA rules (case 1 above). This is default
> because this is what people would probably like to test: whether user is
> able to access the service.
>
> So, default one (no --rules, --enabled, or disabled) would imply --enabled.
>

Ok are we settled on:
--enabled (if all flags are omitted this is default)
--disabled
--rules=a,b,c

or on
--enabled=A, B, C (if all flags are omitted this is default)
--disabled=X, Y, Z

>>> During test simulation of such access granting it is important to
>>> understand which rule has caused a problem, be it excessive access
>>> grant
>>> or premature deny. '--detail' is an option which allows to see how
>>> simulation went, which rules granted access and which denied.
>> Got it , so maybe it was just the wording in the help output that confused 
>> me.  "Details of the rule(s) being validated" ?
> May be "Show which rules are passed, denied, and invalid"?
>
>
Makes sense.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to