On Tue, Apr 20, 2021 at 08:53:59AM +0300, Alexander Bokovoy wrote:
On ma, 19 huhti 2021, Kevin Fenzi wrote:
> On Mon, Apr 19, 2021 at 08:44:43PM +0200, Pierre-Yves Chibon wrote:
> > +1 for me on groups.
> > This does raise the question about user accounts no?
> > We could have a group that is created with the same name as a group that was
> > deleted, and suddenly our auditing trail needs to take into account a time
> > component as group X at time A may be different than group X at time B.
> Yeah. Luckily we don't add many groups anymore...so I don't think that
> will be too much of a problem.
> > I've the feeling that user accounts are a tad more sensitive and thus we
> > want to keep our current policies, I'm raising the question here
> Yeah, user accounts are a different thing.
> The case you mention above with groups could be a lot more confusing
> with users... user foo at time A is not the same as foo at time B.
> I'm ok with just keeping out policy of not deleting accounts except
> under exceptional cases.
FreeIPA has a concept of life-cycle management for users -- see 'ipa
help stageuser' and 'ipa help user-stage'.
More about it:
Design page: https://www.freeipa.org/page/V4/User_Life-Cycle_Management
User documentation: Command line:
Interesting. Will read through those.