On 04/17/2015 12:11 PM, Ash Alam wrote:
Hello
I wanted to get some input on what your approach is for admin
accounts. In the past i approached it where you have a user `John Doe`
he has a normal user account for everyday tasks (wifi, anything that
talks ldap). He also has an admin account for when he needs to
administer ipa, active directory etc.
There are few groups of thought around this. Mine being that admin
permissions should not be granted to accounts that are not
specifically create to administer ipa/ad. I have worked at places
where admin and user accounts were one in the same and others where
they were separated.
Currently i have an opportunity to start fresh and wanted to get some
input as to what the best approach would be. Freeipa and its
developers are security conscious and its built around security so
getting your though on this would be great.
Thank You
I do not think there is a clear cut rule you can follow. This is why you
have the experience with both approaches.
The question that I would ask is how significantly the administrative
activity is logically segregated from end user activity in your environment.
If there are a lot of areas that only special accounts can get to and no
end user can routinely access then probably having a logical separation
of the accounts would be better.
If admins and users can access the same systems and applications and
just have different privileges then you need to focus on access control
anyways so having separate accounts would be more overhead than gain.
But this is just my take on this. Others might disagree.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project