Access Control Defaults
- Do we need some kind of permission atoms to allow certain tasks?
Use Cases
-
User sign-up portal (need service account that can create users and do cred reset)
-
Role for service account generation.
-
Remote backup - this account should be able to trigger and retrieve a backup
-
Groups should be able to be changed by a managing group (managed by)
-
IP limits on accounts?
-
Users need to not be able to see other users.
- Means the user can't read member attr, but can see groups + group info.
-
Anonymous needs to be able to be blocked more easily.
-
Enable disable self-mail write
-
Enable disable self-name-change
To achieve
- IP access limits
- Managed By rules
- Better group specification syntax (not filters)
Domain Admin
IDM Admin
Integration Admin
Help Desk
Account "Self"
Account-Related
Duplicated for Service Accounts, HP persons, HP service Accounts.