On Friday 28 February 2003 21.26, Scott Wrosch wrote: > Not likely to happen, but I'm going to try again. He seems to > think that it's one more thing that could go wrong. But, if I let > him do the maintaining of the proxy, I could make him see the error > of his ways. Especially considering we have temps coming in and out > all the time who have various access needs. It's definitely nice > to see though that I'm not the only one who is thinking that way.
It is just groups dammit.. Fact: The list of usernames needs to be stored somewhere. Fact: One more group in the domain does not make any conflicts, as long as it named with a name that guarantees there is no need to create another group with the exact same name but another purpose. Fact: If having the groups in the domain then it becomes immediately obvious which rights a given user have simply by looking at the group memberships for that user with the normal administrative tools used to assign rights to that user. Fact: By having the groups in the domain you do not risk forgetting to remove privileges for the user when deleting the account. If separate then "forgotten" rights may be inherited by another user if he has the same username as a previous user.. Fact: If having the proxy groups defined in a separate system then two tools needs to be used on two different systems to determine which rights the user have or not. Fact: Groups defined by files on the proxy is by far not as visible as the domain groups, and you will not at all get the same overview as you must manually search each individual group to determine which groups the user is member of (there is ofcourse the grep command, but keep that to yourself B) Regards Henrik
