[desktop-discuss] [security-discuss] requirement for identifying a console user in RBAC
Mike Gerdts
mgerdts at gmail.com
Fri Aug 17 20:29:29 PDT 2007
On 8/17/07, Darren J Moffat <Darren.Moffat at sun.com> wrote:
> Now back to the general case, being able to have different RBAC profiles
> based on "where" you are is actually a very useful concept - I have code
> that uses the "qualifier" field in user_attr(4) to limit when an user
> gets a profile based on host or netgroup. [ Not integrated because it
> requires updating the SMC user tool and I don't know how to do that ].
Aside from cross-platform issues (Linux, HP-UX, etc.), this is the
primary reason that I find sudo more appropriate than RBAC. I've seen
some LDAP magic that gets pretty close to "machine has a role"
functionality to allow matching user role + machine role, but it
doesn't seem to be a common configuration.
Mike
--
Mike Gerdts
http://mgerdts.blogspot.com/
More information about the desktop-discuss
mailing list