> Something declarative which can be version controlled and considered a > "source of truth" and driven from configuration management (chef, > puppet, ansible - whatever your flavor) >
This is generally not done with a configuration management system because it tends to be more dynamic. Usually you'll use an identity management system that maintains your "authoritative source" that can be audited against. Depending on your needs it can have workflows for user approvals, etc. There are several open source identity management solutions including OpenUnison (our -Tremolo Security- own project - http://openunison.io) or ForgeRock's OpenIDM or OpenIAM. > A scheme to reconcile account properties, group memberships, > permissions, etc... I could see how this would be a slippery slope > because of the depth of groupings/permissions/etc... but a > version-controlled declarative user config gives a nice record for > auditors (When did mike get an account, who granted access to him, > when did he get access, what other access has he had over the last > year... etc..) > This is the use case for an identity management system. Something that will let you identify who created an account, who approved it, etc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
