summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-02-22 16:24:41 -0500
committerRob Crittenden <rcritten@redhat.com>2011-02-23 11:57:10 -0500
commitb5e43bb866392a70d775f31994f7e856972956b2 (patch)
treec6cf3ed4f6d0644deb0802d4d421814ad13ce89a /ipalib/plugins
parent388c9a1705bd3e6744ca996559cb4372c532056e (diff)
downloadfreeipa-b5e43bb866392a70d775f31994f7e856972956b2.tar.gz
freeipa-b5e43bb866392a70d775f31994f7e856972956b2.tar.xz
freeipa-b5e43bb866392a70d775f31994f7e856972956b2.zip
Make permission and privilege help text clearer
ticket 996
Diffstat (limited to 'ipalib/plugins')
-rw-r--r--ipalib/plugins/permission.py9
-rw-r--r--ipalib/plugins/privilege.py17
2 files changed, 18 insertions, 8 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 784b4dae5..db063334f 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -19,11 +19,12 @@
"""
Permissions
-A permission enables fine-grained delegation of permissions. Access Control
-Rules, or instructions (ACIs), grant permission to permissions to perform
-given tasks such as adding a user, modifying a group, etc.
+A permission enables fine-grained delegation of rights. A permission is
+a human-readable form of a 389-ds Access Control Rule, or instruction (ACI).
+A permission grants the right to perform a specific task such as adding a
+user, modifying a group, etc.
-A permission may not be members of other permissions.
+A permission may not contain other permissions.
* A permissions grants access to read, write, add or delete.
* A privilege combines similar permissions (for example all the permissions
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 0b451635e..3be466483 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -19,11 +19,20 @@
"""
Privileges
-A privilege enables fine-grained delegation of permissions. Access Control
-Rules, or instructions (ACIs), grant permission to privileges to perform
-given tasks such as adding a user, modifying a group, etc.
+A privilege combines permissions into a logical task. A permission provides
+the rights to do a single task. There are some IPA operations that require
+multiple permissions to succeed. A privilege is where permissions are
+combined in order to perform a specific task.
-A privilege may not be members of other privileges.
+For example, adding a user requires the following permissions:
+ * Creating a new user entry
+ * Resetting a user password
+ * Adding the new user to the default IPA users group
+
+Combining these three low-level tasks into a higher level task in the
+form of a privilege named "Add User" makes it easier to manage Roles.
+
+A privilege may not contain other privileges.
See role and permission for additional information.
"""