> > The "System Administrator" is not a user, it's one of the existing
> > rights profiles, we could grant it to any user or role as we want.
> > These commands are by design for system administration, I think we
> > should put them under the rights profile "File System Management"
> > which is a supplementary rights profile of "System Administrator".
> > So it will depend on the customers which user/role would run these
> > commands, not restricted to superuser(root).
>
> Since this has NOTHING to do with "File Systems" I don't think that is
> an appropriate existing RBAC profile.
I tend to agree. I've offered to help the project team through
the case owner, but that's not come to fruition.
Looking at the issues you and I have raised, I believe a higher
bandwidth communication than email will help to converge this.
Such as why is sys_devices required to run the view commands?
And why are the modes restricted? What is the policy? Why
is the policy appropriate? And as you say why File System Management?
It is included in System Administrator, so why is that the
appropriate set of Rights Profiles for these commands?
Since the claim is required privileges, what about limitprivs?
> I would like to see one or maybe two new profiles:
>
> "SCSI Device Info" Contains the non empty set of commands from this
> case that require privilege but are non destructive in all their modes
> of operation - ie they are "status/info" commands only.
Perhaps after understanding the why of the device policy,
the view routines may not need any Rights Profile at all.
From (one of the Xiao Li's) email that showed
crw-r----- 1 root sys
sgid sys might be appropriate.
Without the project team explaination of rationale for the
existant policy, I can't judge.
Gary..
