[db-wg] Idea: magic mntner for all LIR contacts
- Previous message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
- Next message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Cynthia Revström
me at cynthia.re
Mon Jan 7 11:27:34 CET 2019
Hi Denis, I think the current main suggestion is to add a new DB auth scheme, such as "auth: SSO-LIR no.foobar" that includes all the SSO accounts linked to the LIR except for Billing accounts. Kind regards, Cynthia Revström On 2019-01-07 11:20, denis walker via db-wg wrote: > Hi Tore > > Just to clarify a point here. Are you suggesting that for all LIRs, > all listed LIR (non-billing) administrators should be able to manage > all the LIR's database objects that will all be maintained by this one > 'magic' MNTNER object as "mnt-by:", "mnt-lower:", "mnt-routes"? > > If any of the 'all' in that statement don't apply then can we be > clearer on the use case for this MNTNER object? > > cheers > denis > co-chair DB-WG > > > ------------------------------------------------------------------------ > *From:* Tore Anderson via db-wg <db-wg at ripe.net> > *To:* Piotr Strzyzewski <Piotr.Strzyzewski at polsl.pl> > *Cc:* db-wg-chairs at ripe.net; Aleksi Suhonen <Aleksi.Suhonen at axu.tm>; > db-wg at ripe.net > *Sent:* Monday, 7 January 2019, 10:25 > *Subject:* Re: [db-wg] Idea: magic mntner for all LIR contacts > > * Piotr Strzyzewski via db-wg > > > Look at this page > > https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items > > and start new NWI. > > Thanks for the pointer! > > Chairs (cc-ed), could we have an NWI for this? > > Rough problem statement for the kickstart phase follows: > > There is currently no way to automatically sync the «auth: SSO x at y > <mailto:x at y>» > attributes for a maintainer object with the list of (non-billing) users > associated with an LIR. > > This leads to duplication of work (adding/removing newly hired/departed > LIR administrators in two places). > > Additionally, this increases the risk of unauthorised access, e.g., if an > administrator has left an LIR but was only removed from the LIR portal, > he might inappropriately retain access to manage database objects for the > LIR in question. > > It is therefore desirable to have a method to protect RIPE database > objects so that they can be maintained by the list of (non-billing) > user accounts currently associated with a specific LIR at any given > time. That is, when a RIPE NCC Access account is removed from the LIR's > user list, the database maintainer access should be automatically > revoked for that account as well. > > > Tore > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20190107/b5107beb/attachment.html>
- Previous message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
- Next message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]