Hi all,

I realize that this with vary from instance to instance, but I'm curious on how 
others are handling naming conventions for things like HBAC rules, sudo rules, 

Here is how I am handling things today:

* External groups have an 'external' prefix (eg, external_groupname)
* Hostgroups have a $group prefix (eg, groupX_webservers)
* sudo rules are classified by the group name (eg, EmailAdmins)

This example sudo rule would allow members of the 'EmailAdmins' group access to 
run certain commands/command-groups on specific host-groups (eg, 

* HBAC rules are classified by the group name (eg, allow_EmailAdmins)

This example HBAC rule would allow members of the 'EmailAdmins' group access to 
certain host-groups (eg, groupX_webservers).  When this group needs to access 
additional groups of servers, I just modify the existing HBAC rule and add the 
new group.  There are many different ways to handle this.  I have thought about 
classifying HBAC rules by hostgroup instead of user group.  In this case, I 
would have an HBAC rule named 'allow_Webservers' where I would specify 
individual user-groups that require access to the host(s).  My opinion on this 
is likely to change as our environment (and use cases) continues to expand.

What is working in your environment?  What would you change if you could start 
over?  It would be great if this discussion could eventually lead to a 'best 
practices' document/wiki-page for naming conventions and practices.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to