I've updated https://github.com/cloudfoundry/bosh-notes/blob/master/uaa.md
to list out planned viewable resources by read-only users.

By far the biggest authorization requirement we get from our security

teams is being able to provide a level of "admin" access that can perform
most functions but can't access credentials and sensitive information.

What kind of "admin" access do you think should be provided?





On Wed, Jun 3, 2015 at 8:07 AM, dehringer <david.ehringer(a)gmail.com> wrote:

What are some of the functions that a read-only user scope would be able to
perform. I really like the idea of a read-only scope but it seems like
today
there are only a few functions that aren't intended to modify the state of
the system or indirectly can allow for modification of the system (e.g.
bosh
ssh/scp).

By far the biggest authorization requirement we get from our security teams
is being able to provide a level of "admin" access that can perform most
functions but can't access credentials and sensitive information. Simply
hooking in UAA obviously doesn't help with this as this is deeply related
to
how deployment manifests work in general. But I mention it because this is
the type of authorization and access control requirements our security
teams
are providing.



--
View this message in context:
http://cf-bosh.70367.x6.nabble.com/cf-bosh-Resuming-UAA-work-tp75p116.html
Sent from the CF BOSH mailing list archive at Nabble.com.
_______________________________________________
cf-bosh mailing list
cf-bosh(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-bosh