On Fri, 2014-02-28 at 17:27 +0000, Nordgren, Bryce L -FS wrote: > Am I overlooking something, or is this likely to be an effective means > of delegating small project support while sideboarding potential Evil?
Well, there area always caveats, mostly that you will find exceptions you have to permit for whatever reason, so you generally need a workable exception mechanism when that happens, auditing can be a suitable mitigation factor in those cases. That said I think JR also gave excellent points. Esp wrt 2FA which, incidentally, we are almost done implementing in FreeIPA. With 2FA you substantially reduce the threat of stolen passwords, when you have to allow password login on less trusted machines, at least for human accounts. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users