© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Context from the blueprint, while it was still active:
(lbragstad) 19-02-13: This could be resolved with proper scope checking and the use of default roles, which were introduced in Rocky. The approach would safely protect the mapping API and allow domain users access to it. Additional validation should be done to make sure domain administrators are only accessing domains or identity providers they have authorization on. Also, the alternative solution proposed in review [0] might not be a silver bullet for this problem. I can imagine certain deployments might want to delegate mapping operations directly to domain administrators, which makes the API more self-service since domain users don't need to request system administrators to make mapping changes on their behalf. Colleen and I talked about this in IRC and agreed this might make sense to keep in discussion [1].
[0] https:/
[1] http://