On 06/10/2015 12:16 PM, Martin Kosek wrote:
On 06/10/2015 10:01 AM, David Kupka wrote:
On 06/10/2015 09:12 AM, Martin Kosek wrote:
I saw the new privileges and permissions for the Staged Users functionality and
found couple spelling/English issues that I think we should fix before Alpha/GA
so that we can just rename them and not care about upgrade changes.
# ipa permission-find stage | grep -i "Permission name"
Permission name: System: Add Stage Users by Provisioning and Administrators
Should be "System: Add Stage User"
Permission should not care who will do it, it is privilege/role's job.
Permission name: System: Delete modify Stage Users by administrators
Why is Modify and Delete combined in 1 permission?
Hello Martin, David,
Sorry for the delay.
Each permission creates a DS aci. At first to limit the number of aci I
tried to group them.
So I should rather separate each individual right into separate
permission (e.g. 'write'/MOD and 'delete'/DEL), is that correct ?
I agree it is cleaner and easier to maintain.
Should be "System: Modify Stage User" and "System: Remove Stage User"
Permission name: System: Preserve an active user to a delete Users
Maybe "System: Preserve User"? We do not use "deleted users" bur rather
"preserved users anyway"
Yes. Petr Viktorin already warned be to use the proper naming.
Deleted users are better renamed in Preserved users (due to the CLI option)
That fine for me. In initial version of the patch I put 'credentials'
but then switched to exact attributes.
Permission name: System: Reactive delete users
"System: Undelete User" to reflect the command name.
Permission name: System: Read Stage User kerberos principal key and password
Rather "System: Read Stage User password" - I do not think we need to call out
the principal key explicitly, but this is negotiable.
Permission name: System: Read Stage Users by administrators
"System: Read Stage Users"
Permission name: System: Read/Write delete Users by administrators
This needs to be 2 permissions:
"System: Read Preserved Users"
"System: Modify Preserved Users"
Permission name: System: Reset userPassord and kerberos keys of delete users
Rather "System: Reset Preserved User password"
Permission name: System: Write Active Users RDN by administrators
Rather "System: Modify User RDN"
Permission name: System: Write Delete Users RDN by administrators
Why is this permission needed, isn't "System: Modify Preserved Users" enough?
Absolutely you are right, this aci is already covered by "Modify
it's probably my fault, I should have paid more attention when reviewing the
patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and
can fix it.
Great, thanks! Ideally, this should be fixed for Alpha - it should not be that
hard, the names are now already proposed.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code