[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sshproxy-dev] Re: Mail server down
|
From: |
David Guerizec |
|
Subject: |
[sshproxy-dev] Re: Mail server down |
|
Date: |
Wed, 10 Aug 2005 13:24:53 +0200 (CEST) |
|
User-agent: |
SquirrelMail/1.4.4 |
Hello,
Let's get back to the list, since we're back on to the real work ;)
On Mar 9 août 2005 1:43, Kalina Detko a écrit :
> I've only thought over your suggestion to add profile_id to login table
- but then it would be impossible to implement the main idea:
>
> "let me in as address@hidden" (individual permission)
> else
> "let me in as address@hidden if a_user is in a_profile and a_profile is
able to log into a_host_group and a_host is in a_host_group" (group
permission)
>
> Or, if I got wrong the idea, please correct me.
My idea was more along the line of the second proposition (group
permission), but you seem to be confusing user and login tables.
In fact, what I want to do is:
If I try to connect as ./SSH -P address@hidden address@hidden, the following
conditions must be met for me to log into a_host:
1. a_login must be present in the login table (and the password must match)
2. a_login belongs to a_profile with a high enough level of privilege (see
below)
3. a_host must be present in the site table
4. a_user must be present in the user table, and user.site_id must be
equal to site.id
5. a_host must belong to at least one site group (table sgroup) that
define a level of privilege
6. profile.priv_level must be superior or equal to sgroup.priv_level
As I see it, the table profile could contain several privilege level
fields, one for the connection to sites, one for the administration level,
one for the SFTP console commands (ie. a user could put files but not get
any), etc...
But for the moment, let's start simple with only one priv_level field.
Just to be clearer, the sgroup table is meant here to be used to separate
customers. ie. if we have HP, Dell and IBM as customers, there will be for
example 4 groups: ALL, HP, Dell and IBM, each containing several hosts.
But if we have to manage firewalls and mail servers, then we could add 2
more groups FW and Mail that would contain all firewalls and mail servers
from each of our clients.
That way, an administrator can be given rights to manage only IBM
machines, or any mail servers but no firewalls.
I hope it's not too confusing, it seems I have problems explaining exactly
what I have in mind, but this can be resumed by two words: modularity and
granularity.
I'm going on vacations from tonight until end of august, and I most
probably won't be able to connect on internet during that time. I may be
able to read my mails during three days right after the 16th. though, so
don't hesitate to ask questions.
David
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [sshproxy-dev] Re: Mail server down,
David Guerizec <=