-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2018-04-15 at 16:04 -0400, Anton Aylward wrote:
On 15/04/18 12:01 PM, Carlos E. R. wrote:
That I can understand, the needle-sharp delegation of a specific function makes sense; UNIX has often being criticised as root doing every aspect of system administration and no compartmentalization and delegation. having a UUCP administrator, a line printer administrator, an new account administrator ... yes, that's the more 'corporate' approach.
But it is a hell of a job to create a suitable sudoers file for that compartmentalization.
Is is any less of a 'hell of a job' to set that up under a IBM MVS system?
As far as I can see just add the users to a relevant group and configure SUDO work in terms of that group.
Delegate lp, uucp, policy, .... It's all there, just have to run chkstat .
Well, the "root" admin has to list somewhere who can do that, seeking all the tools a limited admin has to use, and then correct the errors. There are hundreds of tools to consider. And sometimes a root tool should be used only with some of the options, not all of them. Now, if someone contributed those lists ready made, it would be different. I worked with the Lucent 5ESS, a telephone network exchange, which run unix with a frontend. On one site (say about dozen machines) they set up admin roles, going command by command, adding them to groups, then choosing what people could run each command. It took more than a week to prepare (and I don't know how long to read docs), then another to setup, and weeks to debug (problems with people that could not do their job, people that could not login, etc). Interestingly, some people (me) could get to the unix shell and then do anything.
More advanced systems use ldap based account management and sudo can make use of that too.
I guess. Windows does have this area much more advanced (via AD). You can fine tune who does what, and there are already some roles, like one for doing backups. - -- Cheers, Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlrUnQcACgkQtTMYHG2NR9VMOACgi92MbjKpdey376Boeo3LpSfl KtUAoJlmu0Gtk3Or1nRKcz1t69V4/J6A =2O7q -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org