Roles as Groups


It would be great if we can use roles as posix groups.

Of course, you can code your application to use roles, but there are really a lot of good applications, which where coded already (like padl nss_ldap and pam_ldap, or samba) which where coded using RFC2307/RFC2307bis as a reference and which are really not trivial to modify. Not to mention few applications that are close source and you cannot modify it at all…

Why using roles as groups would be useful? Because you can model complex permissions and even whole administration of you system using almost exclusively fds roles. For example:

Let’s assume you have samba share, which should be accessed by many different people/groups in your enterprise. You are told to let all accountants access this share with read permission, allow finance manager read-write permission, but additionally - allow audit people read permission as well. You can attack problem in many ways, but let’s try to do this using some kind of role-based management:

This design is very useful. It allows you very easily:

Ok, I agree - this seems like a lot of work to just give somebody access to one samba share :) But what if you have 500 shares? On 100 servers? Or maybe you have dozens of datashare resources, but each consist of 4-5 different directories on different servers, but you need to manage it consistently, as whole?

To do this we need two elements:

Unnesting roles into groups? Possibilities

really dynamic groups?

One idea is to use dynamic group. So for each role which should be available as flat, posix group, you define dynamic group. Ie.: X_ACL_DataShare_Read_Posix - or whatever :). Then you define memberurl as something like:


The whole idea would be to write plugin, which would do this search in behalf of client and return results as nice collection of member attributes (uniq members of course :).



extend roles?

Another idea is to modify roles plugin so it allows you to query for role members using member attribute of role itself.



do it in application?

You can write your own gui (ie.: web app), which will do the changes as they occur. You could then just use posix groups. Idea itself is quite simple:

After that you have just flat, static groups, but updated to reflect changes and nesting you did.



use nss_ldap nested groups? or generally - client side processing

Yes, nss_ldap should support nested groups. But at least where I tested it (Ubuntu 8.04) this function was disabled - or I just don’t know how to use it :(



something else?

well? :)

isn’t that idea evil? ;)

Well yes :) I’ve got it from one of the windows administration books. Why? Well, what I’m trying to do is to develop kind of Active Directory system without Active Directory :) I know it seems to be crazy, but when you have money issues, it’s where creativity starts to count :)

But idea itself - role-based management - seems very appealing, not only for Microsoft based networks, but for linux management too. There are just few tools missing :)

other uses of roles, or acl?

Of course there are other uses :)

installing applications

Ie.:I write scripts for now is software management on windows machines. Just use great tool for this, wpkg, few scripts, and directory. For example let’s assume you are going to install on all computers in Accounting department, so:

What is cool about this is that you can with ease delegate permissions to manage applications on computers - proper acl and directory manage this for you!

IF we would be able to get all member of particular role (including all nesting) as posix group - we could take this further. Ie.: because in Accounting group you have not only computers, but normal users as well, and it’s nested in X_APP_Openoffice.org_Win32, then if you assign permissions to X_APP_Openoffice.org_Win32 group to read installs (possible with another nesting), then all accountants read have access to openoffice installs, and could do it themselves. Why to do that? Openoffice isn’t good example, but if you have some accounting application, which need a lot customization during install, who only accountant now how to do - then it have more sense. You could also create another roles for people, who prepare packages for wpkg - and give then rw access to directories with those packages only… Well - possibilities are countless :)


Ok, next script could generate nagios configuration for you based on directory and roles configuration. You have computers as user accounts in directory, so:

unix management

Well - use puppet to manage your unix boxes :) And then the same idea again - capability role is X_PUPPET_SomePuppetClass and then you nest roles with hosts into it. Ie.: X_PUPPET_MonitoringServer. And use external_nodes in puppet to extract classes directly form host entry in ldap, using nsRole.


Well, conclusion is: in my opinion roles (esp. nested roles) are really great feature, and would be even greater, if could be used as posixGroup.

Last modified on 7 August 2014