On 2/12/11 4:05 AM, John R Pierce wrote:
> regardless of the OS, any time you start to get tricky with per object
> permissions, before long you end up with a complex mess that's a pain in
> the butt to keep track of.
And this is especially true if you don't first map the users to a group role or
job position, then set appropriate permissions for files/directories based on
the roles instead of the individuals that are temporarily involved with them.
You really don't want to maintain systems by searching the entire filesystem for
acls containing a user and changing it to some other user. And generally you'll
want a mail group associated with the role as well. I always liked the way SME
server let you associate users with groups in its web admin interface and then
took care of the details of setting up permission groups and mail groups for
you. Too bad it doesn't do LDAP to make it suitable for places with more than
one server.
--
Les Mikesell
lesmikesell at gmail.com