On Thu, 2002-08-08 at 16:21, Richard Hoffbeck wrote:

> stock Linux install, how do I share a file I own with Bill and Mary 
> without going through root to create a group with two users?

Groups still don't get created on a AD without administrator help. 
Minimally a Trusted User handles those with a delegation of part of the
active directory.  Sanely, only specific groups are delegated to avoid
major systems design issues.  So sure, lets assume that the addition and
removal of users in a group is now delegated, (Yeah, right, like anyone
is going to manage ACLs of specific dispersed files of all users)
however the creation and design of groups (domain or globally) are still
the responsibility of an administrator at the OU, domain, or global tree
level.  Unless a whole OU is just given out to a very trusted user for
those sorts of things (creating groups), but that would scare too many
administrators worth their salt worrying about a sustainable system in
the future.  

I also fear giving this sort of 'power' to people in positions that
aren't responsible for data security (if applicable, HIPPA might make it
a PITA for administrators to give this up in some environs) or for the
power structure of the 'system' to be seperate from the actual 'power
structure' in some ways to avoid stupid-user-battles.  Of course, the
latter could easily be worked out with decent event logging and
auditing. (Perhaps forwarding the audit logs to said users bosses to
mitigate evil blame from them if something stupid does happen.) 
Delegating control can be a powerful tool, but I believe it can, in many
cases, become more of a pain and a liability of 'image' to 'higher ups'
when stuff happens.  There's something to be said about being directly
responsibile.

The richer model right now has the (good) ability of providing seperate
permissions per object.  The problem in the UNIX world right now is that
there is no definate standard to do this that interoperates with NFS. 
Of course, I can't speak for AFS.  Nor can I wonder if AFS has enough
API hooks for applications to reap the benefits of such a thing.  I
should look sometime.

-- 
Scott Dier <dieman at ringworld.org> http://www.ringworld.org/