On 06/10/2015 12:16 PM, Martin Kosek wrote:
On 06/10/2015 10:01 AM, David Kupka wrote:
On 06/10/2015 09:12 AM, Martin Kosek wrote:
Hello Thierry/David,

I saw the new privileges and permissions for the Staged Users functionality and
found couple spelling/English issues that I think we should fix before Alpha/GA
so that we can just rename them and not care about upgrade changes.

Namely:

# ipa permission-find stage | grep -i "Permission name"
    Permission name: System: Add Stage Users by Provisioning and Administrators

Should be "System: Add Stage User"

Permission should not care who will do it, it is privilege/role's job.

    Permission name: System: Delete modify Stage Users by administrators

Why is Modify and Delete combined in 1 permission?

Hello Martin, David,

Sorry for the delay.

Each permission creates a DS aci. At first to limit the number of aci I tried to group them. So I should rather separate each individual right into separate permission (e.g. 'write'/MOD and 'delete'/DEL), is that correct ?

I agree it is cleaner and easier to maintain.



Should be "System: Modify Stage User" and "System: Remove Stage User"

    Permission name: System: Preserve an active user to a delete Users

Maybe "System: Preserve User"? We do not use "deleted users" bur rather
"preserved users anyway"
Yes. Petr Viktorin already warned be to use the proper naming.
Deleted users are better renamed in Preserved users (due to the CLI option)

    Permission name: System: Reactive delete users

"System: Undelete User" to reflect the command name.

    Permission name: System: Read Stage User kerberos principal key and password

Rather "System: Read Stage User password" - I do not think we need to call out
the principal key explicitly, but this is negotiable.
That fine for me. In initial version of the patch I put 'credentials' but then switched to exact attributes.
    Permission name: System: Read Stage Users by administrators

"System: Read Stage Users"

    Permission name: System: Read/Write delete Users by administrators

This needs to be 2 permissions:

"System: Read Preserved Users"
"System: Modify Preserved Users"

    Permission name: System: Reset userPassord and kerberos keys of delete users
by administrator

Rather "System: Reset Preserved User password"

    Permission name: System: Write Active Users RDN by administrators

Rather "System: Modify User RDN"

    Permission name: System: Write Delete Users RDN by administrators

Why is this permission needed, isn't "System: Modify Preserved Users" enough?

Absolutely you are right, this aci is already covered by "Modify Preserved Users"

thanks
thierry

Hello,
it's probably my fault, I should have paid more attention when reviewing the
patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and
can fix it.

Great, thanks! Ideally, this should be fixed for Alpha - it should not be that
hard, the names are now already proposed.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to