On 11/01/2011 04:09 AM, Sigbjorn Lie wrote:
>> We decided to back away from trying to provide central RBAC. Our
>> experience with multiple projects revealed that there is no one size fits
>> all solution regarding
>> RBAC. But we were talking about geral Role
>> base access control model not specific RBAC as Solaris implemented it. The
>> Solaris RBAC is similar
>> to sudo and HBAC combined together. Both features are managed by IPA. We
>> also have SELinux policies
>> on Linux that can constrain the root access. The user SELinux roles
>> management is on the roadmap
>> but HBAC + SUDO should give you the equivalent if not more functionality than
>> Solaris RBAC.
> It's a false statement that Solaris RBAC is like sudo and HBAC combined.
> There so much more
> options in the Solaris RBAC when it comes to such as limiting/granting
> cpu/memory resources, OS
> privileges, based on a group, a project, a user, a service, etc.
Sounds a lot like and overlap with SELinux features to me...
> Besides, RBAC comes with Solaris, sudo need to be installed.
It was not clear if the client is actually on Solaris.
I think here we have a different case. Here we are talking about an
application that takes advantage of the Solaris RBAC as a policy container.
> And as I understand it, SSSD is required to installed on Solaris to implement
> the HBAC rules from
Yes but a different pam module can be built to takje advantage of HBAC
for the platforms that do not support SSSD.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list