Here is a user story:
I have several groups of developers that will be using resources from a pull. Each group will have it is own set of Kerberized services to manage and deploy. I want developers to be able to create, modify, delete or provision/deploy services they are appointed to manage but not be able to modify other services that belong to other groups or are constituting production environment that none of those groups should be able to touch.
Thoughts on implementation:
services are structured per host and in our default ACIs we allow the host to manage all its services. If per-service management is needed, then service groups need to be added which will be spanning services across hosts. We have infrastructure for that (managedBy attribute is multi-valued, ipaService object class can have managedBy attribute), so the question is to provide a plugin that handles these managedBy assignments according to some groups and then create group-based permissions/privileges/roles.
Apart from the relatively simple plugin to allow manipulating managedBy on ipaService object, the rest is there.
Metadata Update from @abbra: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.