6.2. Managing User Resources

Creating user accounts is only part of a system administrator's job. Management of user resources is also essential. Therefore, three points must be considered:
  • Who can access shared data
  • Where users access this data
  • What barriers are in place to prevent abuse of resources
The following sections briefly review each of these topics.

6.2.1. Who Can Access Shared Data

A user's access to a given application, file, or directory is determined by the permissions applied to that application, file, or directory.
In addition, it is often helpful if different permissions can be applied to different classes of users. For example, shared temporary storage should be capable of preventing the accidental (or malicious) deletions of a user's files by all other users, while still permitting the file's owner full access.
Another example is the access assigned to a user's home directory. Only the owner of the home directory should be able to create or view files there. Other users should be denied all access (unless the user wishes otherwise). This increases user privacy and prevents possible misappropriation of personal files.
But there are many situations where multiple users may need access to the same resources on a machine. In this case, careful creation of shared groups may be necessary.

6.2.1.1. Shared Groups and Data

As mentioned in the introduction, groups are logical constructs that can be used to cluster user accounts together for a specific purpose.
When managing users within an organization, it is wise to identify what data should be accessed by certain departments, what data should be denied to others, and what data should be shared by all. Determining this aids in the creation of an appropriate group structure, along with permissions appropriate for the shared data.
For instance, assume that that the accounts receivable department must maintain a list of accounts that are delinquent on their payments. They must also share that list with the collections department. If both accounts receivable and collections personnel are made members of a group called accounts, this information can then be placed in a shared directory (owned by the accounts group) with group read and write permissions on the directory.

6.2.1.2. Determining Group Structure

Some of the challenges facing system administrators when creating shared groups are:
  • What groups to create
  • Who to put in a given group
  • What type of permissions should these shared resources have
A common-sense approach to these questions is helpful. One possibility is to mirror your organization's structure when creating groups. For example, if there is a finance department, create a group called finance, and make all finance personnel members of that group. If the financial information is too sensitive for the company at large, but vital for senior officials within the organization, then grant the senior officials group-level permission to access the directories and data used by the finance department by adding all senior officials to the finance group.
It is also good to be cautious when granting permissions to users. This way, sensitive information is less likely to fall into the wrong hands.
By approaching the creation of your organization's group structure in this manner, the need for access to shared data within the organization can be safely and effectively met.