1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-discuss] Membership handling ( was: Leave )
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Membership%20handling%20%28%20was%3A%20Leave%20%29&In-Reply-To=%3C201103072038.03947.maarten.vanraes%40gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="003914.html">
<LINK REL="Next" HREF="003920.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-discuss] Membership handling ( was: Leave )</H1>
<B>Maarten Vanraes</B>
<A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Membership%20handling%20%28%20was%3A%20Leave%20%29&In-Reply-To=%3C201103072038.03947.maarten.vanraes%40gmail.com%3E"
TITLE="[Mageia-discuss] Membership handling ( was: Leave )">maarten.vanraes at gmail.com
</A><BR>
<I>Mon Mar 7 20:38:03 CET 2011</I>
<P><UL>
<LI>Previous message: <A HREF="003914.html">[Mageia-discuss] Membership handling ( was: Leave )
</A></li>
<LI>Next message: <A HREF="003920.html">[Mageia-discuss] test xorg
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#3921">[ date ]</a>
<a href="thread.html#3921">[ thread ]</a>
<a href="subject.html#3921">[ subject ]</a>
<a href="author.html#3921">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Op maandag 07 maart 2011 12:34:57 schreef Michael Scherer:
><i> On Mon, 7 Mar 2011 12:14:49 +0100, Wolfgang Bornath wrote:
</I>><i> > 2011/3/7 Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-discuss">misc at zarb.org</A>>:
</I>><i> >> This bring the question of account management, ie what should
</I>><i> >> we do with a account that is explicitely dropped ?
</I>><i> >>
</I>><i> >> Ie :
</I>><i> >> - disable fully
</I>><i> >> - leave it as it is now and :
</I>><i> >> - disable later
</I>><i> >> - leave forever usable
</I>><i> >> - disable partially ( ie remove from sensitives groups ( and so
</I>><i> >> define
</I>><i> >> what group is sensitive ))
</I>><i> >>
</I>><i> >> So what about last proposal ( remove from sensitive group ) and
</I>><i> >> disable
</I>><i> >> account
</I>><i> >> in 6 months / 1 year ?
</I>><i> >
</I>><i> > +1
</I>><i> >
</I>><i> > We've seen it quite often that people re-discover old interests,
</I>><i> > hobbies, ex-wives, etc. So, a "sleep time" of 1 year is a good
</I>><i> > solution.
</I>><i> >
</I>><i> > next thing is to define which are "sensitive groups / access
</I>><i> > permissions".
</I>><i>
</I>><i> Depend on the havoc that could be done by someone stealing a unused
</I>><i> account.
</I>><i>
</I>><i> Someone posting on the forum under a false name will generate lots of
</I>><i> drama,
</I>><i> but nothing critical. The same goes for bugzilla, or any ml.
</I>><i> Now, someone moderating a forum and wrecking havoc would be
</I>><i> more problematic. The same goes for svn/git/packages/translation/etc.
</I>><i>
</I>><i> Maybe it is simple to remove membership from all group, except those
</I>><i> seen as
</I>><i> unsensitive ? ( ie, everything except default users group ).
</I>><i>
</I>><i> We also need to see when do we remove such access. IE, if someone after
</I>><i> X months
</I>><i> decide to find interest into doing stuff that requires Y privileges,
</I>><i> what should happen ?
</I>><i>
</I>><i> - let him do it without asking ( keep Y privileges )
</I>><i> - need to ask to have his privileges back
</I>><i> - need to redo the whole system from start ?
</I>><i>
</I>><i> I guess that depending on X and Y, of course, and so we need to have
</I>><i> first a list
</I>><i> of Y.
</I>><i>
</I>><i> Let's try with that :
</I>><i> - commit to developper svn
</I>><i> - commit to packages svn
</I>><i> - submit packages
</I>><i> - commit to web svn
</I>><i> - modifiy ldap
</I>><i> - do sysadmin stuff ( log everywhere, touch to config )
</I>><i> - planet subscription
</I>><i> ( insert bugzilla stuff )
</I>><i> ( insert blog privs )
</I>><i> ( insert i18n stuff )
</I>><i> ( insert forums stuff )
</I>><i> ( isert missing stuff )
</I>><i>
</I>><i> I assume that we can all agree that a leader/deputy/board member
</I>><i> resiging will have
</I>><i> board/leader/deputy access removed.
</I>
[...]
perhaps the user can just opt-out in identity, which could result in:
- removal of userPassword attribute, effectively disabling login
- and setting a disabled flag in LDAP, which could be taking into account in
each application.
- removal of membership in groups is also an idea. but we'd have to find out
if there is no "accountability from the past" issue.
this would have the benefit of rejoining at a later time AND the accountability
from the past of stuff doesn't disappear.
eg: suppose appl X logs what user Y does, and does so with the LDAP reference.
if the ldap entry really is deleted, stuff might go wrong.
just an idea.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="003914.html">[Mageia-discuss] Membership handling ( was: Leave )
</A></li>
<LI>Next message: <A HREF="003920.html">[Mageia-discuss] test xorg
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#3921">[ date ]</a>
<a href="thread.html#3921">[ thread ]</a>
<a href="subject.html#3921">[ subject ]</a>
<a href="author.html#3921">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss
mailing list</a><br>
</body></html>
|
