LNI

1. Infrastructure

1.1 Generic hierarchy

1.2 Generic roles

*.sysadmin	login and unrestricted root privileges
*.staff	login and limited privileges (`sudo service`, accessing logs)
*.community	login

1.3 Specific roles

*.admin	login and unrestricted root privileges
*.users	login and limited privileges (`sudo apt`, `sudo service`, accessing logs, trigger deployments)

1.4 Examples

2. Permissions

2.1 Generic hierarchy

2.2 Examples

2.3 Specific roles

*.access	can use application or service
*.admin	SSP: can see other peoples pages
*.read	can read anything within the Ceph share
*.write	can read, write and delete anything within the Ceph share
*.users	OpenStack: can manage all ressources within the OpenStack project SSP: can request ressources through SSP

3. Notes

For services operated by LNI, there are no special cases or legacy issues to be aware of.

Services not operated by LNI, i.e. we provide PaaS only, do not use this structure (e.g. IDM).

Maximum total lenght of groups is 64 characters for compatibility with Microsoft Active Directory.

Group naming

1. Infrastructure

1.1 Generic hierarchy

1.2 Generic roles

1.3 Specific roles

1.4 Examples

2. Permissions

2.1 Generic hierarchy

2.2 Examples

2.3 Specific roles

3. Notes