On Thu, 14 Feb 2013, Alexander Bokovoy wrote:

On Thu, 14 Feb 2013, Dag Wieers wrote:

So I was wondering whether this is something that was already discussed as a feature for IPA ?

Yes, something along these lines was discussed in past.
We have three tickets so far in deferred state:
https: //fedorahosted.org/freeipa/ticket/547
https: //fedorahosted.org/freeipa/ticket/548
https: //fedorahosted.org/freeipa/ticket/3127

A problem with time-based access management is to consider its locality.
Time-limited rules all stored centrally but applied locally and
timezones play important role in messing things up.

We also wanted to develop solution which would be scalable and easier to
integrate with visual tools to edit recurrent events, thus ideas towards
use of iCalendar (RFC5545 and RFC5546) format.

From FreeIPA perspective application of rules would be done by SSSD and
its plugins to various applications (sudo, SELinux enforcement, etc).
FreeIPA itself would provide storage and means to edit the rules, both
in command line and web UI.

Thanks for the feedback. Obviously I didn't consider all the use-cases yet, but what you describe would fulfill the security recommendation.

I'd like to start a feature proposal, however I am not sure if I am best placed to do it given there has obviously been discussions about it already (and our use-case is rather limited).

Let me know if you see any value.
-- dag wieers, d...@wieers.com, http://dag.wieers.com/
-- dagit linux solutions, i...@dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

Freeipa-users mailing list

Reply via email to