On Thu, 2002-08-08 at 16:21, Richard Hoffbeck wrote: > stock Linux install, how do I share a file I own with Bill and Mary > without going through root to create a group with two users? Groups still don't get created on a AD without administrator help. Minimally a Trusted User handles those with a delegation of part of the active directory. Sanely, only specific groups are delegated to avoid major systems design issues. So sure, lets assume that the addition and removal of users in a group is now delegated, (Yeah, right, like anyone is going to manage ACLs of specific dispersed files of all users) however the creation and design of groups (domain or globally) are still the responsibility of an administrator at the OU, domain, or global tree level. Unless a whole OU is just given out to a very trusted user for those sorts of things (creating groups), but that would scare too many administrators worth their salt worrying about a sustainable system in the future. I also fear giving this sort of 'power' to people in positions that aren't responsible for data security (if applicable, HIPPA might make it a PITA for administrators to give this up in some environs) or for the power structure of the 'system' to be seperate from the actual 'power structure' in some ways to avoid stupid-user-battles. Of course, the latter could easily be worked out with decent event logging and auditing. (Perhaps forwarding the audit logs to said users bosses to mitigate evil blame from them if something stupid does happen.) Delegating control can be a powerful tool, but I believe it can, in many cases, become more of a pain and a liability of 'image' to 'higher ups' when stuff happens. There's something to be said about being directly responsibile. The richer model right now has the (good) ability of providing seperate permissions per object. The problem in the UNIX world right now is that there is no definate standard to do this that interoperates with NFS. Of course, I can't speak for AFS. Nor can I wonder if AFS has enough API hooks for applications to reap the benefits of such a thing. I should look sometime. -- Scott Dier <dieman at ringworld.org> http://www.ringworld.org/