On 11/01/2011 04:09 AM, Sigbjorn Lie wrote:
>> We decided to back away from trying to provide central RBAC. Our
>> experience with multiple projects revealed that there is no one size fits 
>> all solution regarding
>> RBAC. But we were talking about geral Role
>> base access control model not specific RBAC as Solaris implemented it. The 
>> Solaris RBAC is similar
>> to sudo and HBAC combined together. Both features are managed by IPA. We 
>> also have SELinux policies
>> on Linux that can constrain the root access. The user SELinux roles 
>> management is on the roadmap
>> but HBAC + SUDO should give you the equivalent if not more functionality than
>> Solaris RBAC.
> It's a false statement that Solaris RBAC is like sudo and HBAC combined. 
> There so much more
> options in the Solaris RBAC when it comes to such as limiting/granting 
> cpu/memory resources, OS
> privileges, based on a group, a project, a user, a service, etc.
Sounds a lot like and overlap with SELinux features to me...

> Besides, RBAC comes with Solaris, sudo need to be installed.

It was not clear if the client is actually on Solaris.
I think here we have a different case. Here we are talking about an
application that takes advantage of the Solaris RBAC as a policy container.

> And as I understand it, SSSD is required to installed on Solaris to implement 
> the HBAC rules from
> IPA?

Yes but a different pam module can be built to takje advantage of HBAC
for the platforms that do not support SSSD.
> Rgds,
> Siggi
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to