On Tue, Apr 20, 2021 at 08:53:59AM +0300, Alexander Bokovoy wrote:
On ma, 19 huhti 2021, Kevin Fenzi wrote:
> On Mon, Apr 19, 2021 at 08:44:43PM +0200, Pierre-Yves Chibon wrote:
> >
> > +1 for me on groups.
> >
> > This does raise the question about user accounts no?
> > We could have a group that is created with the same name as a group that was
> > deleted, and suddenly our auditing trail needs to take into account a time
> > component as group X at time A may be different than group X at time B.
>
> Yeah. Luckily we don't add many groups anymore...so I don't think that
> will be too much of a problem.
> >
> > I've the feeling that user accounts are a tad more sensitive and thus we
may
> > want to keep our current policies, I'm raising the question here
nonetheless :)
>
> Yeah, user accounts are a different thing.
> The case you mention above with groups could be a lot more confusing
> with users... user foo at time A is not the same as foo at time B.
> I'm ok with just keeping out policy of not deleting accounts except
> under exceptional cases.
FreeIPA has a concept of life-cycle management for users -- see 'ipa
help stageuser' and 'ipa help user-stage'.
More about it:
Design page:
https://www.freeipa.org/page/V4/User_Life-Cycle_Management
User documentation: Command line:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Web UI:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Interesting. Will read through those.
kevin