× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. PCTECH
  3. September 2009

Re: Authorization list - or equivalent

I've done some googling and reading on AGDLP ("All Good Dogs Love People"
<g>) and have some questions that I didn't find much on. These are all on
security groups, not distribution groups.

1) Is it a good practice to assign an account to multiple global groups?
Does that cause issues? We're a small company and people wear many hats.
For example, the office manager handles overflow calls to inside sales.
Should the office manager be placed in the Global Inside Sales group as well
as the Global Office group? How is the effective permission determined if
an account is in multiple groups with differing permissions? My guess is
that if ANY group has enough permission, the account gets in.

2) Along the same line, what if the manager of a department is to have
differing permissions than the rest of the department? For example, "Joe"
is the buying department manager. Would I put him in the "Global Buying"
group as well as the "Global Buying Management" group? Or do I set up the
following 3 global groups: "Global Buying Users", "Global Buying
Management", and make both of those global groups members of "Global Buying
All", a 3rd global group? And these global groups would be replicated to
domain local groups. Then what happens if you give all 3 of these global
groups different access to a specific resource? This could get ugly.

3) From #2, "Joe" is also a member of upper corporate management, which
could/should be another global group. It seems to me accounts ought to be
in multiple global groups.

4) How does "Administrator" apply here? I'm certain that Administrator is
not put into every global group.


I guess this issue (an account in multiple groups - yes or no) is an early
fork in the road for me. It will have great effect on how I proceed.

Thanks for any pointers.



On Wed, Sep 23, 2009 at 4:21 PM, Lukas Beeler <lukas.beeler@xxxxxxxxxxxxxxxx
wrote:

On Wed, Sep 23, 2009 at 22:02, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx>
wrote:
On the i I've always secured these with authorization lists (I love
authorization lists). I don't think Windows has the equivalent of
authorization lists. Is setting up Groups and assigning users to Groups
the
generally accepted, correct way to do this in Windows?

A G DL P
http://en.wikipedia.org/wiki/AGDLP

Accounts Global DomainLocal Permissions

Basically, you use multiple Domain Local Groups to effectively set
permissions on files or folders. For each type of permission, you need
a single group. Then, Global Groups are members of the Domain Local
Groups (group nesting). Finally, the user account objects are members
in the Global Groups.

You can also add universal groups, but there's no need for that unless
you have multiple domains and thousands of users.

--
Read my blog at http://projectdream.org
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.





As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.