On Friday 28 February 2003 21.26, Scott Wrosch wrote:
> Not likely to happen, but I'm going to try again. He seems to
> think that it's one more thing that could go wrong. But, if I let
> him do the maintaining of the proxy, I could make him see the error
> of his ways. Especially considering we have temps coming in and out
> all the time who have various access needs. It's definitely nice
> to see though that I'm not the only one who is thinking that way.
It is just groups dammit..
Fact: The list of usernames needs to be stored somewhere.
Fact: One more group in the domain does not make any conflicts, as
long as it named with a name that guarantees there is no need to
create another group with the exact same name but another purpose.
Fact: If having the groups in the domain then it becomes immediately
obvious which rights a given user have simply by looking at the group
memberships for that user with the normal administrative tools used
to assign rights to that user.
Fact: By having the groups in the domain you do not risk forgetting to
remove privileges for the user when deleting the account. If separate
then "forgotten" rights may be inherited by another user if he has
the same username as a previous user..
Fact: If having the proxy groups defined in a separate system then two
tools needs to be used on two different systems to determine which
rights the user have or not.
Fact: Groups defined by files on the proxy is by far not as visible as
the domain groups, and you will not at all get the same overview as
you must manually search each individual group to determine which
groups the user is member of (there is ofcourse the grep command, but
keep that to yourself B)
Regards
Henrik
Received on Fri Feb 28 2003 - 16:28:20 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:46 MST