2008/525 ikeadm token login
Paul Wernau
Paul.Wernau at sun.com
Fri Aug 15 09:06:36 PDT 2008
Darren J Moffat wrote:
> Paul Wernau wrote:
>> You bring up an good point. Is there some pre-existing authorization
>> you'd recommend? I see solaris.device.grant (Delegate Device
>> Administration) as a potential. Or we could create a new set.
>
> I don't think that one is appropriate. I would expect a completely new
> authorization under solaris.network. The closest existing one for this
> is solaris.network.wifi.wep. My suggestion would be:
>
> solaris.network.ipsec.ike.token.login
> solaris.network.ipsec.ike.token.logout
>
> This means you can give out solaris.network.* or
> solaris.network.ipsec.*, or be very specific and allow login but not
> logout.
>
> It also leaves you "space" in the hierarchy to do other delegated admin
> on ike and ipsec.
>
OK, that sounds reasonable and is completely fine by me.
-Paul
More information about the opensolaris-arc
mailing list