Hello Thierry/David,

I saw the new privileges and permissions for the Staged Users functionality and
found couple spelling/English issues that I think we should fix before Alpha/GA
so that we can just rename them and not care about upgrade changes.

Namely:

# ipa permission-find stage | grep -i "Permission name"
  Permission name: System: Add Stage Users by Provisioning and Administrators

Should be "System: Add Stage User"

Permission should not care who will do it, it is privilege/role's job.

  Permission name: System: Delete modify Stage Users by administrators

Why is Modify and Delete combined in 1 permission?

Should be "System: Modify Stage User" and "System: Remove Stage User"

  Permission name: System: Preserve an active user to a delete Users

Maybe "System: Preserve User"? We do not use "deleted users" bur rather
"preserved users anyway"

  Permission name: System: Reactive delete users

"System: Undelete User" to reflect the command name.

  Permission name: System: Read Stage User kerberos principal key and password

Rather "System: Read Stage User password" - I do not think we need to call out
the principal key explicitly, but this is negotiable.

  Permission name: System: Read Stage Users by administrators

"System: Read Stage Users"

  Permission name: System: Read/Write delete Users by administrators

This needs to be 2 permissions:

"System: Read Preserved Users"
"System: Modify Preserved Users"

  Permission name: System: Reset userPassord and kerberos keys of delete users
by administrator

Rather "System: Reset Preserved User password"

  Permission name: System: Write Active Users RDN by administrators

Rather "System: Modify User RDN"

  Permission name: System: Write Delete Users RDN by administrators

Why is this permission needed, isn't "System: Modify Preserved Users" enough?

-- 
Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to