Access Control Defaults

  • Do we need some kind of permission atoms to allow certain tasks?

Use Cases

  • User sign-up portal (need service account that can create users and do cred reset)

  • Role for service account generation.

  • Remote backup - this account should be able to trigger and retrieve a backup

  • Groups should be able to be changed by a managing group (managed by)

  • IP limits on accounts?

  • Users need to not be able to see other users.

    • Means the user can't read member attr, but can see groups + group info.
  • Anonymous needs to be able to be blocked more easily.

  • Enable disable self-mail write

  • Enable disable self-name-change

To achieve

  • IP access limits
  • Managed By rules
  • Better group specification syntax (not filters)

Domain Admin

Domain Admin

Access Control Admin

Account Policy Admin

Domain Config Admin

HP Group Admin

Schema Admin

Sync Account Admin

IDM Admin

IDM Admin

Group Admin

Person Admin

Person PII Modify

Person Read No PII

POSIX Account - [Includes Cred Mod]

Radius Account Modify

Integration Admin

Integration Admin

OAuth2 Admin

POSIX Account Consumer

Radius Service Admin

Help Desk

Help Desk

Person Credential Modify

Person Read No PII

Account "Self"

Modifies

Read

Writes Secrets

Modifies

Self Mail Modify

Self

Self Read

Self Modify

Self Name Modify

Duplicated for Service Accounts, HP persons, HP service Accounts.

Creates

Creates Deletes

Reads Modifies

Member of

Member of

Member of

Reads Modifies

Reads

Reads

Extends (Add Posix Account)

Person On Board

Persons

Person Admin

Person PII Modify

Person Credential Modify

Person Read No PII

Person Read - With PII

PosixAccountIncludesCredMod

Domain and Schema

Modifies Reads

Modifies Reads

Creates Modifies Deletes

Creates Modifies

Creates Modifies Deletes

Domain Configuration Admin

Domain

System

Sync Account Admin

Sync Accounts

Schema Admin

Schema

Access Control Admin

Access Controls

High-Priv and Groups

Create Modify Delete

Modifies Extends

Modify Delete

Add Members

Inherits

Group Admin

Groups

Account Policy Admin

HP Groups

HP Group

HP Group Admin

OAuth2 Specific

Creates Modifies Delegates

Reads

OAuth2 Admin

OAuth2 RS

Scoped Member

POSIX-Specific

Reads Auths

POSIX Account Consumer

Posix Accounts

Radius

Adds Members

Reads Secrets

Writes Secrets

Radius Service Admin

Radius Service

Radius Accounts

Radius Account Modify

Recycle Bin Admin

Modifies Reads Revives

Recycle Bin Admin

Recycled Entries