|This article is under construction.|
Access control in FreeIPA
Read permissions for normal users do not harm
When work on IPA started most of the information stored was needed without authentication by machines, it was all (NIS maps equivalent data).
Later more functionality that falls into a grey area where it could be restricted was added. It was decided on a case by case basis, but by default it was not restricted because we do not believe in security through obscurity or because the information was still easily available if someone escalated privileges on any single client.
- FreeIPA components should have least possible privilege. When possible, user-facing components should use delegation and operate using user's credentials (to limit attack surface).