Need acl help on restricting certain permissions but allowing others

Enragedzeus@lemmy.world · 4 days ago

Need acl help on restricting certain permissions but allowing others

tvcvt · 3 days ago

Take this with a grain of salt, the more I re-read, the more I realize I’m making assumptions about your setup that may or may not be true. First, I’m making an assumption that you’re doing ACLs for samba shares (and I know that system better on FreeBSD than Linux). I’m also assuming based on your description you want everyone to have access, but not write access.

I think you could do an officewide group with read-only permissions on all of the shares and then set the unix group to the department.

So, for your HR team you’d do chgrp -R hr /path/to/parent/shares/hr and setfacl -m d:g:rwx /path/to/parent/shares/hr and add the officewide group’s read-only perms: setfacl -m d:g:officewide:rx /path/to/parent/shares/hr. Rinse and repeat for each share.

Not sure if this is what you’re after, but maybe it’ll help lead in a good direction.

Enragedzeus@lemmy.world · 3 days ago

I can take a look at this. We use dell isilon which is Unix.

I’ll try to clarify better, as I was reading I couldn’t figure out how to explain it better, to start these are SMB shares. We also have about 90,000 employees to put the scale into perspective. For some reason I think they wanted to avoid the read only group because with that many employees it might be a group IT sec doesn’t want to have exist.

But it’s basically:

Directory/directory/directory/workgroup/hr Directory/directory/directory/workgroup/finance Directory/directory/directory/workgroup/IT Directory/directory/directory/workgroup/exec Directory/directory/directory/workgroup/engineering

Everyone has basically full access to wrkgrp but the team AD groups are applied to hr, finance, etc