Re: RC separation of duty


From: "Paul D. Robertson" <proberts@clark.net>
Subject: Re: RC separation of duty
Date: Fri, 29 Oct 1999 10:52:18 -0400 (EDT)

Next Article (by Date): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Previous Article (by Date): RC separation of duty ao@morpork.shnet.org (A. Ott)
Top of Thread: RC separation of duty ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


On 29 Oct 1999, A. Ott wrote:

> I am currently working on a separation of duty system for RC  
> administration, since I also think it necessary.

Awesome!

>   Admin (may read everything). This is kept, works as before and keeps
>   things simple for beginners.

This is very good.

> - New role vector assign_roles:
>   Which roles a user in this role may read and assign to users and
>   processes (process only, if MODIFY_ATTRIBUTE is allowed), and which

I'm going to be a very contented person :)

> - These new vectors may only be changed by old style Role Admins. If you
>   set them at the beginning, and then remove all Role Admins, this
>   separation is forever fixed (well, unless booting Maint kernel).

This is *exactly* what I was hoping for.

> So you could reboot with new version, reset old admin_type to none for all  
> roles and thus get your current administration settings fixed.

Is this the Oct 19 version of 1.0.9a on the Web site, or is it elsewhere 
that we should be looking?

> Comments?

Now I have a lot of work to do on configuraions, this is very good news 
indeed!

I'm in the process of building some HTTP proxy servers for WAN access.  
Being the paranoid type, I don't want unfettered WAN access to my main 
corporate site from distant locations.  Our infrastructure is such that 
the people who should manage the machines don't have a great deal of 
experience outside of Win*.  Rather than taking calls and doing routine 
things like adding new support admins I'll be able to delegate the 
administration tasks, and now even delegation itself as time goes on and the 
lower layers of support gain more clue.  Phase II of this project just 
instantly gained "add RSBAC" to its feature list.  Actually for the 
corporate side proxies it may squeak into Phase I.

Thank you *very* much!

[p.s. The Web article should be available on Monday, I'll post to this 
list when it's up at the site.]

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Previous Article (by Date): RC separation of duty ao@morpork.shnet.org (A. Ott)
Top of Thread: RC separation of duty ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.