2008/525 ikeadm token login
Darren J Moffat
Darren.Moffat at sun.com
Fri Aug 15 09:05:48 PDT 2008
Paul Wernau wrote:
> You bring up an good point. Is there some pre-existing authorization
> you'd recommend? I see solaris.device.grant (Delegate Device
> Administration) as a potential. Or we could create a new set.
I don't think that one is appropriate. I would expect a completely new
authorization under solaris.network. The closest existing one for this
is solaris.network.wifi.wep. My suggestion would be:
solaris.network.ipsec.ike.token.login
solaris.network.ipsec.ike.token.logout
This means you can give out solaris.network.* or
solaris.network.ipsec.*, or be very specific and allow login but not
logout.
It also leaves you "space" in the hierarchy to do other delegated admin
on ike and ipsec.
--
Darren J Moffat
More information about the opensolaris-arc
mailing list