On Thu, 14 Feb 2013, Dag Wieers wrote:
Another interesting recommendation from security is that all granted
access (that is exceptional, rather than permanent) should be limited
in time from the onset.
If this is not possible all granted access needs to be documented and
revised regularly. However a system that would automatically revoke
access after a certain period is preferred from a
security/administrative perspective. (Period to be defined when
This would mean that e.g. sudo-rules, group memberships, etc. could
have due dates and that IPA ensures that these rights are revoked in
So I was wondering whether this is something that was already
discussed as a feature for IPA ?
Yes, something along these lines was discussed in past.
We have three tickets so far in deferred state:
A problem with time-based access management is to consider its locality.
Time-limited rules all stored centrally but applied locally and
timezones play important role in messing things up.
We also wanted to develop solution which would be scalable and easier to
integrate with visual tools to edit recurrent events, thus ideas towards
use of iCalendar (RFC5545 and RFC5546) format.
From FreeIPA perspective application of rules would be done by SSSD and
its plugins to various applications (sudo, SELinux enforcement, etc).
FreeIPA itself would provide storage and means to edit the rules, both
in command line and web UI.
We haven't started working on the topic yet because there were (and
currently are) numerous other tasks with slightly higher priority. Any
contribution in the are is welcomed, even in form of thinking out and
writing down feature proposal, based on a template at
/ Alexander Bokovoy
Freeipa-users mailing list