Is there any way to let some account have more permission? - Security

This is a discussion on Is there any way to let some account have more permission? - Security ; Hi, Considering of the data security, I need to set up different groups for several project and set every engineer to the proper group. But there're some persons, such as leaders, they need more permission to manage the whole department. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Is there any way to let some account have more permission?

  1. Is there any way to let some account have more permission?

    Hi,

    Considering of the data security, I need to set up different groups for
    several project and set every engineer to the proper group. But there're
    some persons, such as leaders, they need more permission to manage the whole
    department. If they are assigned to several groups, when need to visit
    another group's data, will have to run the command 'newgrp', which is not so
    handy, especially when you're running one software and have to exit and
    switch to new group and run again in order to get the permission to another
    group's data. Is there any other way to do it? It's good if I may set up
    one powerful group and which have the management permission to those groups
    and add leaders into the powerful one, but how to do it?

    Have a good day!

    Best Regards,

    Harryzhu



  2. Re: Is there any way to let some account have more permission?

    "tech11" (06-03-02 10:44:27):

    > Considering of the data security, I need to set up different groups
    > for several project and set every engineer to the proper group. But
    > there're some persons, such as leaders, they need more permission to
    > manage the whole department. If they are assigned to several groups,
    > when need to visit another group's data, will have to run the command
    > 'newgrp', which is not so handy, especially when you're running one
    > software and have to exit and switch to new group and run again in
    > order to get the permission to another group's data. Is there any
    > other way to do it? It's good if I may set up one powerful group and
    > which have the management permission to those groups and add leaders
    > into the powerful one, but how to do it?


    You may be particularly interested in ACLs (access control lists).
    There are many possibilities to use them. Most importantly you need to
    activate "extended attributes" for the filesystems you use, in your
    kernel configuration. Most ACL packages require this. In many cases
    it's already activated. Depending on which package you're using, you
    might have to also activate "POSIX access control lists" for your
    filesystems, too.

    However, I don't have any experience with ACLs in Linux systems, since I
    don't need them for my purposes. If I needed them, then I guess I would
    use RBAC (role-based access control), which comes along with the
    grsecurity kernel patch.

    Another possibility is to use a version control system (VCS) like the
    Concurrent Versions System (CVS) oder Subversion (SVN).


    Regards.

  3. Re: Is there any way to let some account have more permission?


    "Ertugrul Soeylemez"
    ??????:20060302041014.41de63cc@kill.mine.nu...
    > "tech11" (06-03-02 10:44:27):
    >
    >> Considering of the data security, I need to set up different groups
    >> for several project and set every engineer to the proper group. But
    >> there're some persons, such as leaders, they need more permission to
    >> manage the whole department. If they are assigned to several groups,
    >> when need to visit another group's data, will have to run the command
    >> 'newgrp', which is not so handy, especially when you're running one
    >> software and have to exit and switch to new group and run again in
    >> order to get the permission to another group's data. Is there any
    >> other way to do it? It's good if I may set up one powerful group and
    >> which have the management permission to those groups and add leaders
    >> into the powerful one, but how to do it?

    >
    > You may be particularly interested in ACLs (access control lists).
    > There are many possibilities to use them. Most importantly you need to
    > activate "extended attributes" for the filesystems you use, in your
    > kernel configuration. Most ACL packages require this. In many cases
    > it's already activated. Depending on which package you're using, you
    > might have to also activate "POSIX access control lists" for your
    > filesystems, too.
    >
    > However, I don't have any experience with ACLs in Linux systems, since I
    > don't need them for my purposes. If I needed them, then I guess I would
    > use RBAC (role-based access control), which comes along with the
    > grsecurity kernel patch.
    >
    > Another possibility is to use a version control system (VCS) like the
    > Concurrent Versions System (CVS) oder Subversion (SVN).
    >
    >
    > Regards.


    ACL can do, but it'll affect our daily backup since we use command 'dump' to
    do. I've never tried RBAC and heard it when using solaris.

    I feel both CVS and Subversion are not so proper to do permission
    management, maybe it's good in version control and used normally in software
    or code programming.

    Best Regards,

    Joffre



  4. Re: Is there any way to let some account have more permission?

    tech11 wrote:
    > "Ertugrul Soeylemez"
    > > "tech11" (06-03-02 10:44:27):

    ....
    > >> when need to visit another group's data, will have to run the command
    > >> 'newgrp', which is not so handy, especially when you're running one
    > >> software and have to exit and switch to new group and run again in
    > >> order to get the permission to another group's data. Is there any

    ....
    Is it not sufficient to add all relevant groups as supplementary groups
    to
    the manager's user account? His permissions for existing files would be
    ok,
    without having to newgrp.
    -job

+ Reply to Thread