On 07/25/2011 01:01 PM, Alexander Bokovoy wrote:
> On 25.07.2011 19:57, Jenny Galipeau wrote:
>>> 1. No option specified. Default case, run simulation against all
>>> IPA rules.
>>> 2. --rules specified. Run simulation against only those rules in
>>> 3. --rules and --enabled specified. Run simulation against all enabled
>>> IPA rules _and_ additionally enable those in --rules. This is a case
>>> testing new HBAC rules before going to production.
>> If you are not going to target specific rules, do you still have to supply
>> the --rules option on the command line? I would think just --enabled or
--rules is needed to specify additional rules.
> By default, if you don't supply --rules, --enabled, or --disabled, you
> are targeting all enabled IPA rules (case 1 above). This is default
> because this is what people would probably like to test: whether user is
> able to access the service.
> So, default one (no --rules, --enabled, or disabled) would imply --enabled.
Ok are we settled on:
--enabled (if all flags are omitted this is default)
--enabled=A, B, C (if all flags are omitted this is default)
--disabled=X, Y, Z
>>> During test simulation of such access granting it is important to
>>> understand which rule has caused a problem, be it excessive access
>>> or premature deny. '--detail' is an option which allows to see how
>>> simulation went, which rules granted access and which denied.
>> Got it , so maybe it was just the wording in the help output that confused
>> me. "Details of the rule(s) being validated" ?
> May be "Show which rules are passed, denied, and invalid"?
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list