On 11/01/2011 04:09 AM, Sigbjorn Lie wrote: >> We decided to back away from trying to provide central RBAC. Our >> experience with multiple projects revealed that there is no one size fits >> all solution regarding >> RBAC. But we were talking about geral Role >> base access control model not specific RBAC as Solaris implemented it. The >> Solaris RBAC is similar >> to sudo and HBAC combined together. Both features are managed by IPA. We >> also have SELinux policies >> on Linux that can constrain the root access. The user SELinux roles >> management is on the roadmap >> but HBAC + SUDO should give you the equivalent if not more functionality than >> Solaris RBAC. > > > It's a false statement that Solaris RBAC is like sudo and HBAC combined. > There so much more > options in the Solaris RBAC when it comes to such as limiting/granting > cpu/memory resources, OS > privileges, based on a group, a project, a user, a service, etc. Sounds a lot like and overlap with SELinux features to me...
> Besides, RBAC comes with Solaris, sudo need to be installed. It was not clear if the client is actually on Solaris. I think here we have a different case. Here we are talking about an application that takes advantage of the Solaris RBAC as a policy container. > And as I understand it, SSSD is required to installed on Solaris to implement > the HBAC rules from > IPA? > Yes but a different pam module can be built to takje advantage of HBAC for the platforms that do not support SSSD. > > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
