Hi Denis, I think the current main suggestion is to add a new DB auth scheme, such as "auth: SSO-LIR no.foobar" that includes all the SSO accounts linked to the LIR except for Billing accounts. Kind regards, Cynthia Revström On 2019-01-07 11:20, denis walker via db-wg wrote:
Hi Tore
Just to clarify a point here. Are you suggesting that for all LIRs, all listed LIR (non-billing) administrators should be able to manage all the LIR's database objects that will all be maintained by this one 'magic' MNTNER object as "mnt-by:", "mnt-lower:", "mnt-routes"?
If any of the 'all' in that statement don't apply then can we be clearer on the use case for this MNTNER object?
cheers denis co-chair DB-WG
------------------------------------------------------------------------ *From:* Tore Anderson via db-wg <db-wg@ripe.net> *To:* Piotr Strzyzewski <Piotr.Strzyzewski@polsl.pl> *Cc:* db-wg-chairs@ripe.net; Aleksi Suhonen <Aleksi.Suhonen@axu.tm>; db-wg@ripe.net *Sent:* Monday, 7 January 2019, 10:25 *Subject:* Re: [db-wg] Idea: magic mntner for all LIR contacts
* Piotr Strzyzewski via db-wg
Look at this page https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items and start new NWI.
Thanks for the pointer!
Chairs (cc-ed), could we have an NWI for this?
Rough problem statement for the kickstart phase follows:
There is currently no way to automatically sync the «auth: SSO x@y <mailto:x@y>» attributes for a maintainer object with the list of (non-billing) users associated with an LIR.
This leads to duplication of work (adding/removing newly hired/departed LIR administrators in two places).
Additionally, this increases the risk of unauthorised access, e.g., if an administrator has left an LIR but was only removed from the LIR portal, he might inappropriately retain access to manage database objects for the LIR in question.
It is therefore desirable to have a method to protect RIPE database objects so that they can be maintained by the list of (non-billing) user accounts currently associated with a specific LIR at any given time. That is, when a RIPE NCC Access account is removed from the LIR's user list, the database maintainer access should be automatically revoked for that account as well.
Tore