Thanks Lukas. This gives me plenty to move forward.

On Thu, Sep 24, 2009 at 11:19 AM, lukas.beeler <
lukas.beeler@xxxxxxxxxxxxxxxx> wrote:

On Thu, Sep 24, 2009 at 15:09, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx>
wrote:
1) Is it a good practice to assign an account to multiple global groups?
Does that cause issues? We're a small company and people wear many hats.
For example, the office manager handles overflow calls to inside sales.
Should the office manager be placed in the Global Inside Sales group as
well
as the Global Office group? How is the effective permission determined
if
an account is in multiple groups with differing permissions? My guess is
that if ANY group has enough permission, the account gets in.

If you're running a company with less than 100 users, you will not
need to concern yourself with the performance of the permissions etc.
you implement, because it simply doesn't matter. In most cases, even
with 500 users you can't do anything that will impact performance - if
you're running current hardware.

Permissions are generally additive, with the exception of deny
permissions. Deny always comes before allow.

If you have a file with an two groups, one with an allow permissions
and the other with a deny permissions, and a user is member of both
these groups, deny will take precendence.

This is also not as bad and as important as it sounds - you will
usually not need deny permissions. They're great for the occasional
"special circumstance", but you shouldn't make them part of your
standard security concept.

3) From #2, "Joe" is also a member of upper corporate management, which
could/should be another global group. It seems to me accounts ought to
be
in multiple global groups.

Usually, accounts are members of multiple global groups, yes. Unless
their job really just consists of doing one thing.

If you assign all the permissions with domain local groups, you'll be
able to mix and match the global groups until you have a scenario that
you like. In the end, do what is easy for you to grasp, understand,
document and implement.

4) How does "Administrator" apply here? I'm certain that Administrator
is
not put into every global group.

No, my approach is to give the Administrators group permissions on all
the files - directly on the ACL level, circumventing Active Directory.
Though this is not directly necessary - Administrators are able to
take ownership and reset permissions as needed.

I guess this issue (an account in multiple groups - yes or no) is an
early
fork in the road for me. It will have great effect on how I proceed.

Yeah, definitively.

--
Read my blog at http://projectdream.org
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.