> Something declarative which can be version controlled and considered a
> "source of truth" and driven from configuration management (chef,
> puppet, ansible - whatever your flavor)

This is generally not done with a configuration management system
because it tends to be more dynamic.  Usually you'll use an identity
management system that maintains your "authoritative source" that can
be audited against.  Depending on your needs it can have workflows for
user approvals, etc.  There are several open source identity
management solutions including OpenUnison (our -Tremolo Security- own
project - http://openunison.io) or ForgeRock's OpenIDM or OpenIAM.

> A scheme to reconcile account properties, group memberships,
> permissions, etc... I could see how this would be a slippery slope
> because of the depth of groupings/permissions/etc... but a
> version-controlled declarative user config gives a nice record for
> auditors (When did mike get an account, who granted access to him,
> when did he get access, what other access has he had over the last
> year... etc..)

This is the use case for an identity management system.  Something
that will let you identify who created an account, who approved it,

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to