On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote:
> Hi,
> Another interesting recommendation from security is that all granted 
> access (that is exceptional, rather than permanent) should be limited in 
> time from the onset.
> If this is not possible all granted access needs to be documented and 
> revised regularly. However a system that would automatically revoke access 
> after a certain period is preferred from a security/administrative 
> perspective. (Period to be defined when granting access)
> This would mean that e.g. sudo-rules, group memberships, etc. could have 
> due dates and that IPA ensures that these rights are revoked in due time.
> So I was wondering whether this is something that was already discussed as 
> a feature for IPA ?

sudo rules have sudoNotBefore sudoNotAfter attributes, so you can limit
their validity.

User accounts have an expiration time as well.

There is no expiration time for groups or group membership, we have not
had any previous request or need for this and I am not sure it really is
possible to do this for group memberships.

I guess we could add an attribute to expire a group, however no client
will respect that for now, so it would be a bit pointless if not


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to