>Are there any documented best practices on this? Is there any time when
>assigning anyone Primary Administrator is valid? I'm maintaining a
>hosting environment and would like to try to use best practices when
>possible.
To a role: yes, assign that role to a user: yes; assign it to a user,
not such a good idea.
The only profiles which should be given to a user are "innocent", e.g.,
something firefox might run without destroying the system.
>Currently we're creating an "approot" role which we assign to SA's, but
>also give them Primary Administrator as well. Should we be doing
>something more fine grained?
Yes, the PA is not a good idea.
What I would like is:
- a role which you can assume by typing your own password, not the
role
- but I would like it to keep the same uid as the user
(making the role a different uid in the credential)
Casper
