Well, i'm running mostly servers with oracle databases and NFS clusters on ldoms, so no users (except DBA and system engineers) are using it.
Everything is kerberized and being logged on domain controllers.
Nothing has access to hypervisors except people who are trusted (a few).
As for access to users for various filesystems, can be accomplished safely with ACL's or chroot (built in ssh is nice), not compromising security.
On development / test systems i tend to relax things a bit and let people monitor how things work.
Production is and should deterministic e.g. you will not have performance problems if you tested everything before on same configuration.
Unfortunately, today practice is to have various tools monitoring everything, since code is being hyper produced and pushed into production with less and less testing resulting in production machines being brought to its knees.
Sorry for the offtopic, we should stop now, if you want to debate my PM is open