How access control and permissions are structured on file servers often significantly impacts the maintainability and performance of systems. For example, poorly designed access control may apply user accounts directly to a shared folder. When doing that, the account has to be applied to every object in the folder. And that could prove to be time consuming and, for a lot of reasons, makes the directory structure confusing and difficult to manage as it grows overtime. While this topic comes from Windows Server training, it remains applicable to any operating systems, including Linux or Unix based systems, that have user and group level access control.
Accounts, Global groups, Domain Local groups, Access control lists (AGDLA)
An account is a user or computer account added to a Global group. The Global groups will likely reflect the business roles in the organization, like Accounting, Human Resources, and Information Technology. Those Global groups are then assigned to Domain Local groups, which are granted access to the actual resources.
This makes a lot of sense for many reasons. Once a Domain Local group is applied to a directory, it never needs to be reapplied. Simply add one or more Global groups to those resource groups, since multiple departments may need access to the same resources.
For maintainability, distinguish Domain Local groups (i.e., resource groups) from others by using a prefix, such as “res,” in the name. And in the group description, specify the path to the resource, so the directory structure may be restored quicker in the event of a disaster.
Accounts, Global groups, Universal groups, Domain Local groups, Access control lists (AGUDLA)
When working in a multi-domain forest, an additional Universal group will need to be added. So, rather than applying Global groups to Domain Local groups, apply Global groups to Universal groups. And then apply those Universal groups to Domain Local groups.