On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal <d...@redhat.com> wrote:

>  On 04/15/2013 11:11 AM, Chandan Kumar wrote:
>  I think controlling Visibility of tabs would be the best option, if
> possible, based on Roles as mentioned by Rob. As long as other entries are
> not visible in UI, even though they have read only access with command
> line, should be enough.
> It would not be a security feature though. Just a convenience because the
> same admin would be able to bind directly to ldap and run a search. This is
> why we did not go this route. Yes we can hide panels but it would not mean
> that the user can't easily get that info. So is there really a value in
> hiding? So far we did not see any this is why we did not do it, but may be
> you have some arguments that might convince us that we are wrong. Can you
> please share these arguments with us?

I wasn't involved in this thread before now, however, in our case we do not
allow LDAP access (only Kerberos and WebUI) from outside firewall so there
*could* be a distinction between the two. I could also present that some
users have been confused when they login to change their personal
information and see a huge list of other users. Of course, they are
directed to their information first upon login, however, we all know that
one wrong click can always happen with some users.

Perhaps it's better to just put together a new WebUI using the Python API,
however, with the fantastic new password reset page in 3.x, I've become
lazy and let users access IPA directly.

Freeipa-users mailing list

Reply via email to