Applying ACLs to create a support role that can only use specified services

[Justin Chang]

Hi Guys,

How would I go about creating a Mediaflux user, which is only capable of running specific commands e.g:

> om.pssd.user.create

> actor.grant

> transform.provider.user.settings.set

The use case is:

1. Request for new DaRIS user account is received by Helpdesk
2. Helpdesk creates new user account the FreeIPA IDM
3. Helpdesk creates new Mediaflux user using > om.pssd.user.create
4. Helpdesk grants permissions required to enable user to utilise DaRIS functions.

Kind regards

Justin

JUSTIN CHANG | Business Portfolio Manager Research
Information and Communications Technology 

THE UNIVERSITY OF SYDNEY
Level 3 Services Building G12 | The University of Sydney | NSW | 2006
P +61 2 9114 0516  M +614 0039 4246
E justin...@sydney.edu.au W  http://sydney.edu.au

CRICOS 00026A
This email plus any attachments to it are confidential and are subject to a claim for privilege. Any unauthorised use is strictly prohibited.  If you receive this email in error, please delete it and any attachments.

Please think of our environment and only print this e-mail if necessary.

[Neil Edward Killeen]

Justin

On 27 Jun 2014, at 5:02 pm, Justin Chang <justin...@sydney.edu.au> wrote:

Hi Guys,

How would I go about creating a Mediaflux user, which is only capable of running specific commands e.g:

> om.pssd.user.create

> actor.grant

> transform.provider.user.settings.set

The use case is:

1. Request for new DaRIS user account is received by Helpdesk
2. Helpdesk creates new user account the FreeIPA IDM
3. Helpdesk creates new Mediaflux user using > om.pssd.user.create
4. Helpdesk grants permissions required to enable user to utilise DaRIS functions.

Kind regards

Justin

probably this belongs in the daris google group, rather than this generic Mediaflux  one.

you should be using your BMRI plugin service  bmri.pssd.user.create since that applies

the appropriate BMRI package roles to the created user.

This service is already empowered with ‘system-administrator’ permission which allows

it to grant roles to other users.

You can do this:

- create a specialised account for helpdesk and grant it  the right to run this service.

> user.create :domain <domain> :user <user>   < other details>

> actor.grant :name <domain>:<user>  :perm < :access ACCESS :resource -type service bmri.pssd.user.create > :type user 

> actor.grant :name <domain>:<name> :perm < :access MODIFY :resource -type service bmri.pssd.user.create > :type user 

> actor.grant :name <domain>:<name> :type user :role -type role basic-user

They need some kind of basic role to be functional, you can use the daris role ‘basic-user’

(which gives some basic perms; better to create your own base-level role for this

helpdesk user to ensure they can do only what you want).

Then they can run the service (only) and create users.  Of course they need to run

other services to e.g. chgeck the user etc. but this shows you a methodology.

Give it a go...

regards

Neil

JUSTIN CHANG | Business Portfolio Manager Research
Information and Communications Technology 

THE UNIVERSITY OF SYDNEY
Level 3 Services Building G12 | The University of Sydney | NSW | 2006
P +61 2 9114 0516  M +614 0039 4246
E justin...@sydney.edu.au W  http://sydney.edu.au

CRICOS 00026A
This email plus any attachments to it are confidential and are subject to a claim for privilege. Any unauthorised use is strictly prohibited.  If you receive this email in error, please delete it and any attachments.

Please think of our environment and only print this e-mail if necessary.

-- 
You received this message because you are subscribed to the Google Groups "mediaflux" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mediaflux+...@googlegroups.com.
To post to this group, send email to medi...@googlegroups.com.
Visit this group at http://groups.google.com/group/mediaflux.
For more options, visit https://groups.google.com/d/optout.