On 11/01/2011 04:09 AM, Sigbjorn Lie wrote:
>> We decided to back away from trying to provide central RBAC. Our
>> experience with multiple projects revealed that there is no one size fits 
>> all solution regarding
>> RBAC. But we were talking about geral Role
>> base access control model not specific RBAC as Solaris implemented it. The 
>> Solaris RBAC is similar
>> to sudo and HBAC combined together. Both features are managed by IPA. We 
>> also have SELinux policies
>> on Linux that can constrain the root access. The user SELinux roles 
>> management is on the roadmap
>> but HBAC + SUDO should give you the equivalent if not more functionality than
>> Solaris RBAC.
>
>
> It's a false statement that Solaris RBAC is like sudo and HBAC combined. 
> There so much more
> options in the Solaris RBAC when it comes to such as limiting/granting 
> cpu/memory resources, OS
> privileges, based on a group, a project, a user, a service, etc.
Sounds a lot like and overlap with SELinux features to me...

> Besides, RBAC comes with Solaris, sudo need to be installed.

It was not clear if the client is actually on Solaris.
I think here we have a different case. Here we are talking about an
application that takes advantage of the Solaris RBAC as a policy container.


> And as I understand it, SSSD is required to installed on Solaris to implement 
> the HBAC rules from
> IPA?
>

Yes but a different pam module can be built to takje advantage of HBAC
for the platforms that do not support SSSD.
>
> Rgds,
> Siggi
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to