On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote: > Hi, > > Another interesting recommendation from security is that all granted > access (that is exceptional, rather than permanent) should be limited in > time from the onset. > > If this is not possible all granted access needs to be documented and > revised regularly. However a system that would automatically revoke access > after a certain period is preferred from a security/administrative > perspective. (Period to be defined when granting access) > > This would mean that e.g. sudo-rules, group memberships, etc. could have > due dates and that IPA ensures that these rights are revoked in due time. > > So I was wondering whether this is something that was already discussed as > a feature for IPA ?
sudo rules have sudoNotBefore sudoNotAfter attributes, so you can limit their validity. User accounts have an expiration time as well. There is no expiration time for groups or group membership, we have not had any previous request or need for this and I am not sure it really is possible to do this for group memberships. I guess we could add an attribute to expire a group, however no client will respect that for now, so it would be a bit pointless if not misguiding. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users