Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to handle build user access/permissions?
Top Forums UNIX for Advanced & Expert Users How to handle build user access/permissions? Post 303012320 by bakunin on Friday 2nd of February 2018 05:51:04 AM
Old 02-02-2018
Here are some general considerations/suggestions. To be more specific is too much dependant on the specific setting in your shop which is hard to appreciate from afar.

First, identify all the necessary roles and what they need to be allowed. You have already started that but you need that in more detail. Do not only define one role ("srv_user") but also the other roles necessary: i.e. "tester", "admin", ...

Only then sort through these specifications and see where they are different. i.e.:

Basic role "user": right1, right2, right3
Role "tester": like "user", but also right4, right5
Role "srv_user": like "tester" plus right6, right7, right8
etc..

This will give you a basic layout for a group hierarchy and which right should go to which group.

A few caveats: it is quite modern to use "ACLs" instead of classic UNIX privileges. This is a great way of getting yourself into deep kimchi beyond all means of maintenance. Experience shows that you end up (usually more sooner than later) with a heap of rights without any structure and no one knows or understands what is going on. Avoid that at all cost, even if it might appeal to you at first. In the long run it tends to be more a problem than a solution. A good (long-term!) solution is not one that does what you want but one that is also easy to understand and painless to maintain.

Have a look at "sudo", but do NOT overuse it! It is often possible to make up for planning deficiencies by overusage of a tool. In practically all cases this is a very bad idea in the long run. If an implementation looks cumbersome rather plan better than undergo the effort of the implementation.

I hope this helps.

bakunin
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

root access on sun os and permissions

Currently have root access to our own boxes on site. HQ wants to take root access away from us. What does root access provide that is unavailable for users as it is essential for us to keep local control. We log in as users but have su for special needs. On all other os boxes we have admin... (2 Replies)
Discussion started by: allinone
2 Replies

2. AIX

Strange error with file access permissions

All, I am trying to copy some data from /admin/reports/Sept/ccn/c_ivsstr01 to /home/users/myhomedir and I am getting an error I have never seen before: The file access permissions do not allow the specified action. The permissions on the file are -rw-r--r-- and I am the owner of the file... (3 Replies)
Discussion started by: kjbaumann
3 Replies

3. UNIX for Dummies Questions & Answers

Side-Effect of write access permissions for a subdirectory

Hi Unix Gurus, I'm a newbie to unix and need some help from you. I'm going to give full access (777) to a subdirectory to an FTP account. Let's say the subdirectory is /usr/local/dir1/dir2/dir3 There are files in dir1, say a.txt b.cfg c.xml Will this account be able to access... (3 Replies)
Discussion started by: xinu299
3 Replies

4. UNIX for Dummies Questions & Answers

Setting permissions and restricting access

Hi all, I have user called "Z". The home directory is /home/Z. I have another directory /home/Z/OP. Within /home/Z/OP, i have 2 directories /home/Z/OP/OP1 and /home/Z/OP2. I want to restrict access for Z to only access /home/Z/OP and /home/Z/OP1 and /home/Z/OP2. What kind of... (4 Replies)
Discussion started by: new2ss
4 Replies

5. Shell Programming and Scripting

script to change the access permissions of the files

Hi, I want to change the access permissions of the files whose extension is same.For example *.c but these are inside a directory and inside that other directory is there and it contains the .c files..for example-- So my aim is to search the files under src and change the access permissions... (3 Replies)
Discussion started by: smartgupta
3 Replies

6. Solaris

user permissions

hi i want to display the usernames,usergroups user permissions and user home directory's with in a single command.and possibities are their for getting this output .. (9 Replies)
Discussion started by: tv.praveenkumar
9 Replies

7. UNIX for Advanced & Expert Users

file access permissions

Hi everybody, following is the scenario; OS HP UX 11.23 two users: # id bodi uid=109(bodi) gid=20(users) groups=1(other),2(bin),3(sys),106(oinstall) # id ossmed uid=121(ossmed) gid=20(users) umask 077 directory name /home/mydir directory permissions drwxrwxrwx requirement: to... (1 Reply)
Discussion started by: ajays
1 Replies

8. OS X (Apple)

Change access permissions

I purchased a 2TB hard drive, split it into two partitions, and formatted it as NTFS. I want to use the drive on my pc and my mac. How can I change the access permissions so Mac OS 10.4.11 will let me write to the drive? I tried this: $ chmod +a "admin allow write" /volumes/V2_Mac chmod:... (3 Replies)
Discussion started by: Me&MyMac
3 Replies

9. Linux

Permissions and access to data

Hi Operating system Red Hat Enterprise 5.8, Data access Mac/PC environment on various OS levels. Access via smb I am trying to set up a data shared area where a user group can read and write to its own directory, but can only write to another groups directory. Example: I have set up two... (1 Reply)
Discussion started by: treds
1 Replies

10. UNIX for Dummies Questions & Answers

Access permissions chmod 606

Hi All I am running Ubuntu linux flavour. I need provide multiple users belonging to the same group access to a dir where they can write files but are not supposed to remove or rename files. users outside the group should be able to read and write to the dir. i have set the permission of... (7 Replies)
Discussion started by: Simza
7 Replies

LEARN ABOUT CENTOS

roles

roles(1)							   User Commands							  roles(1)

NAME

       roles - print roles granted to a user

SYNOPSIS

       roles [ user ...]

DESCRIPTION

       The  command  roles  prints  on	standard  output  the roles that you or the optionally-specified user have been granted. Roles are special
       accounts that correspond to a functional responsibility rather than to an actual person (referred to as a normal user).

       Each user may have zero or more roles. Roles have most of the attributes of normal users and are identified like normal users in  passwd(4)
       and  shadow(4). Each role must have an entry in the user_attr(4) file that identifies it as a role. Roles can have their own authorizations
       and profiles. See auths(1) and profiles(1).

       Roles are not allowed to log into a system as a primary user. Instead, a user must log in as him-- or herself  and  assume  the	role.  The
       actions of a role are attributable to the normal user. When auditing is enabled, the audited events of the role contain the audit ID of the
       original user who assumed the role.

       A role may not assume itself or any other role. Roles are not hierarchical. However, rights profiles (see  prof_attr(4))  are  hierarchical
       and can be used to achieve the same effect as hierarchical roles.

       Roles must have valid passwords and one of the shells that interprets profiles: either pfcsh, pfksh, or pfsh. See pfexec(1).

       Role assumption may be performed using su(1M), rlogin(1), or some other service that supports the PAM_RUSER variable. Successful assumption
       requires knowledge of the role's password and membership in the role. Role assignments are specified in user_attr(4).

EXAMPLES

       Example 1: Sample output

       The output of the roles command has the following form:

       example% roles tester01 tester02
       tester01 : admin
       tester02 : secadmin, root
       example%

EXIT STATUS

       The following exit values are returned:

       0	Successful completion.

       1	An error occurred.

FILES

       /etc/user_attr

       /etc/security/auth_attr

       /etc/security/prof_attr

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       auths(1), pfexec(1), profiles(1), rlogin(1), su(1M), getauusernam(3BSM), auth_attr(4), passwd(4),  prof_attr(4),  shadow(4),  user_attr(4),
       attributes(5)

SunOS 5.10							    14 Feb 2001 							  roles(1)
All times are GMT -4. The time now is 07:32 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy