1

Lets say I have the following setup

  • Two teams: TeamAlice and TeamBob
  • A command that requires admin access: admin_command
  • Two sets of computers: TeamAlice_Computers and TeamBob_Computers

Only TeamAlice has login access to TeamAlice_Computers, and only TeamBob has login access to TeamBob_Computers

Is it acceptable to put TeamAlice and TeamBob in a security group that gives permission to admin_command? or should I instead make 2x security groups, explicitly listing the team / computers? Are there pros/cons to each?

My gut feel is that having a single security group would make the permissions less cluttered and easier to understand, but that somehow it violates the principle of least privilege. Am I overthinking this?

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40

2 Answers2

1

I will use another principle to answer your question: use more than one defence line in case one gets broken.

If you can be sure that your login protection is 100% secure, both ways are stricly equivalent: only users from TeamAlice can access machines from TeamAlice_Computers and only those having the admin privilege can use admin_command there.

Now if admin_command is highly sensitive, I would use two security groups. The rationale is that a weakness in the login system allowing a user from TeamAlice to access a machine in TeamAlice_Computers will not give them admin privileges. It should not be possible, but we all know that many softwares can have security flaws...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

It depends. Each approach in this case has own pros and cons.

You don't describe how is the login permissions are given.

One approach can be to define 2 groups:

  • "AliceAdmins": This group would contain permissions "AliceLogin" and "admin_command"
  • "BobAdmins": This group would contain permissions "BobLogin" and "admin_command"

Thus you can configure each of these groups independently on each other. For instance, you can easily add some "admin_command_2" to one group but not to the other. Or you can easily remove "admin_command" from one group but keep it in the other.

mentallurg
  • 8,536
  • 4
  • 26
  • 41