On 04/16/2013 01:14 AM, Stephen Ingram wrote:
On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal <d...@redhat.com> wrote:

  On 04/15/2013 11:11 AM, Chandan Kumar wrote:

  I think controlling Visibility of tabs would be the best option, if
possible, based on Roles as mentioned by Rob. As long as other entries are
not visible in UI, even though they have read only access with command
line, should be enough.

It would not be a security feature though. Just a convenience because the
same admin would be able to bind directly to ldap and run a search. This is
why we did not go this route. Yes we can hide panels but it would not mean
that the user can't easily get that info. So is there really a value in
hiding? So far we did not see any this is why we did not do it, but may be
you have some arguments that might convince us that we are wrong. Can you
please share these arguments with us?

I wasn't involved in this thread before now, however, in our case we do not
allow LDAP access (only Kerberos and WebUI) from outside firewall so there
*could* be a distinction between the two. I could also present that some
users have been confused when they login to change their personal
information and see a huge list of other users. Of course, they are
directed to their information first upon login, however, we all know that
one wrong click can always happen with some users.

We might hide menu and breadcrumb navigation in self-service. Would that help? Another possible problem is direct modification of url and thus showing details of another user.

Perhaps it's better to just put together a new WebUI using the Python API,
however, with the fantastic new password reset page in 3.x, I've become
lazy and let users access IPA directly.


Petr Vobornik

Freeipa-users mailing list

Reply via email to