Scroll to navigation

cipux-rbac.conf(3pm) User Contributed Perl Documentation cipux-rbac.conf(3pm)

cipux-rbac.conf

%rbac_cfg

TODO

%rbac_scope

TODO

Structure Considerations

There are several aproaches and naming schemata to implement the RABC structure for tasks.

This (non valid) example might not be very common, because it implements the student self administration.

 Task::cipux_task_list_student_accounts | task         \   
  |                                     |              | ou=Task
  `-- cipuxAclProgramMember             | attribute    |
      = student.cgi                     | program name / \
         |                              |                | ou=CAT
         `-- cipuxAclRoleMember         | attribute      | 
             = student                  | role name    \ /
                |                       |              |
                `-- cipuxAclUserMember  | attribute    | ou=Group
                    = bibaggings        | user name    /

The above example constructs a clean approach with seperated LDAP attributes like cipuxAclProgramMember, cipuxAclRoleMember and cipuxAclUserMember, but it has a big disadvantage. If you look at a normal Group node, which consists out of the object class posixGroup, you will notice that for the filesystem and PAM normally the attribuet memberUid is used to describe the membership. Therefore - in this example - the ACL hierary for CipUX::RABC and the file sytem group membership might member out of sync. If that is what you what: ok, but mostly you would not like ask yourself questions like: Why the user (who is in the POSIX group student) can access object XY on the filesystem but can not access the CAT module module teacher? The anser would be of course: He is not in the attribute cipuxAclUserMember.

To avoid inconsitency we made the follwoing schema valid for debian now: The effective rights on the filesystem concerning roles (aka groups) and the ACLs CipUX uses are the same, because the attribute is the same.

 Task::cipux_task_list_teacher_accounts | task         \   
  |                                     |              | ou=Task
  `-- cipuxMemberPid                    | attribute    |
      = teacher.cgi                     | program name / \
         |                              |                | ou=CAT
         `-- cipuxMemberRid             | attribute      | 
             = teacher                  | role name    \ /
                |                       |              |
                `-- memberUid           | attribute    | ou=Group
                    = chkuelker         | user name    /

As you can see memberUid is not a LDAP attribute out of the cipux.schema. The second thing is that we dropped the Acl part of the attribute, to state that this might not used only for ACL.

        # +-----------------------------------------------------------------+
        # | RBAC hierarchy structure                                        |
        # +-----------------------------------------------------------------+
        #
        # dim 0 = etc config space ($config_hr0 ...$config_hr2)
        # dim 1 = distribution space (debian, debian-edu, ....)
        # dim 2 = RBAC scope (task, cat, ...)
        # dim 3 = RBAC level, hierarchy level (0,1, ..., n)
        # dim 4 = level config space (list, member, ...)
        # dim 5 = level config values (cipux_task_list_tasks, ...)

%rbac_explain

TODO

2008-12-15 perl v5.10.0