× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. PCTECH
  3. September 2009

Re: Authorization list - or equivalent

On Thu, Sep 24, 2009 at 15:09, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx> wrote:
1) Is it a good practice to assign an account to multiple global groups?
Does that cause issues? ÂWe're a small company and people wear many hats.
For example, the office manager handles overflow calls to inside sales.
Should the office manager be placed in the Global Inside Sales group as well
as the Global Office group? ÂHow is the effective permission determined if
an account is in multiple groups with differing permissions? ÂMy guess is
that if ANY group has enough permission, the account gets in.

If you're running a company with less than 100 users, you will not
need to concern yourself with the performance of the permissions etc.
you implement, because it simply doesn't matter. In most cases, even
with 500 users you can't do anything that will impact performance - if
you're running current hardware.

Permissions are generally additive, with the exception of deny
permissions. Deny always comes before allow.

If you have a file with an two groups, one with an allow permissions
and the other with a deny permissions, and a user is member of both
these groups, deny will take precendence.

This is also not as bad and as important as it sounds - you will
usually not need deny permissions. They're great for the occasional
"special circumstance", but you shouldn't make them part of your
standard security concept.

3) From #2, "Joe" is also a member of upper corporate management, which
could/should be another global group. ÂIt seems to me accounts ought to be
in multiple global groups.

Usually, accounts are members of multiple global groups, yes. Unless
their job really just consists of doing one thing.

If you assign all the permissions with domain local groups, you'll be
able to mix and match the global groups until you have a scenario that
you like. In the end, do what is easy for you to grasp, understand,
document and implement.

4) How does "Administrator" apply here? ÂI'm certain that Administrator is
not put into every global group.

No, my approach is to give the Administrators group permissions on all
the files - directly on the ACL level, circumventing Active Directory.
Though this is not directly necessary - Administrators are able to
take ownership and reset permissions as needed.

I guess this issue (an account in multiple groups - yes or no) is an early
fork in the road for me. ÂIt will have great effect on how I proceed.

Yeah, definitively.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.