February 19th, 2010, 03:52 AM
LDAP permissions on modifying group
Hello, I need some help with best practices. Let me describe problem:
We have application with users with different roles (LDAP groups). We have, for instance, "group1", "group2" and group "disabled". User from group "disabled" is not allowed to perform any actions. So, enabling user is deleting him or she from group "disabled". But suddenly appears that for "group1" should be very strict policy for enabling users. Administrator can create user, add him to "group1" and to group "disabled" but enabling user should perform some other person. So, how to:
1. forbid administrator to delete user from group "disabled"
2. create user which can perform only one action: delete users from group "disabled"
I do not know, maybe there are some others decision for enabling|disabling users. I would be glad to get any advice.
Thank you in advance.
February 20th, 2010, 08:18 AM
creating the permissions to allow adminA to add people to the 'disable' group and adminB to delete them is easy enough. However, what is to prevent adminA from not adding them to the 'disable' group in the first place?