On 07/25/2011 01:01 PM, Alexander Bokovoy wrote:
> On 25.07.2011 19:57, Jenny Galipeau wrote:
>>> 1. No option specified. Default case, run simulation against all
>>> enabled
>>> IPA rules.
>>> 2. --rules specified. Run simulation against only those rules in
>>> --rules.
>>> 3. --rules and --enabled specified. Run simulation against all enabled
>>> IPA rules _and_ additionally enable those in --rules. This is a case
>>> of
>>> testing new HBAC rules before going to production.
>> If you are not going to target specific rules, do you still have to supply 
>> the --rules option on the command line?  I would think just --enabled or 
>> --disabled?

--rules is needed to specify additional rules.

> By default, if you don't supply --rules, --enabled, or --disabled, you
> are targeting all enabled IPA rules (case 1 above). This is default
> because this is what people would probably like to test: whether user is
> able to access the service.
> So, default one (no --rules, --enabled, or disabled) would imply --enabled.

Ok are we settled on:
--enabled (if all flags are omitted this is default)

or on
--enabled=A, B, C (if all flags are omitted this is default)
--disabled=X, Y, Z

>>> During test simulation of such access granting it is important to
>>> understand which rule has caused a problem, be it excessive access
>>> grant
>>> or premature deny. '--detail' is an option which allows to see how
>>> simulation went, which rules granted access and which denied.
>> Got it , so maybe it was just the wording in the help output that confused 
>> me.  "Details of the rule(s) being validated" ?
> May be "Show which rules are passed, denied, and invalid"?
Makes sense.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to