On Mon, May 10, 2010 at 3:27 PM, Martin Feller <[email protected]> wrote: > This approach looks fine to me. We use the same approach in a project I > work on: All users have individual accounts, but are members of various > local unix groups. Each group reflects a project. > Depending on group membership they can access project data being owned > by that group, or not.
That's reassuring. > There is another approach where all users share a community credential > which is augmented with user-specific information (attributes). Authorization > decisions are then done by callouts which check the the user-specific > attributes. > I don't know enough about it to give you detailed information about this, > but if you are interested i could maybe find documentation pointers or > forward this to folks who know more about this. > Or maybe there's even somebody on this list who can provide input on this! I think it would be interesting to have a document defining all the main scenarios and explaining which solution would be better to adopt for each one of them. > Glad to hear that it works now on most machines. Hard to tell for me > why this one machine still causes problems. I hope you can figure it out. I have found that out too: it appeared that on that particular machine the globus directory had only 740 (rwxr-----) permissions instead of 750 (rwxr-x---). Some student must have messed up with it. Really many thanks for your help and support, it has been invaluable. -- Marco Lackovic http://grid.deis.unical.it/lackovic/
