Imagine this simplified scenario: a small business has an owner, a bookkeeper, a part-time sysadmin and a few dozen employees; the company has an all-Linux LAN. (Most computers run Arch Linux.) No outside (WAN) access to the LAN is configured; LAN resources are available locally only.
It seems everything is cloud-based today, but I'm trying to understand this problem without initially having to consider the complexity of cloud-based resources or WAN access by remote or traveling employees.
The goal is to secure the resources on the LAN from unauthorized local access, especially by local users who can become root.
The sysadmin currently has root access to all computers. A select few employees have sudo rights on their computers. Currently, the sysadmin can access any and all resources on the LAN.
Now consider this new requirement: Other than the owner, the bookkeeper is the person who should have access to the financial resources of the company.
The sysadmin must be able to continue to administer all machines (from desktop support to operating system installation).
How can the the sysadmin to do his job while complying with the requirement of not having access to the financial information stored on the local fileserver, for example?
Is this what directory services such as LDAP or FreeIPA accomplish?
What is a simple way to solve the requirement described above for an overworked and under-trained Linux sysadmin?
If the requirement cannot be met 100%, what is the common practice at similar companies?
What is a simple way to implement a general authentication system along with a network file system that has encryption?
Some of the terms I have seen include FreeIPA, NIS, NIS+, LDAP, SSSD, Kerberos and more. I'm not clear on exactly how each of these might fit into the simple solution required in the scenario above.
(Bonus question: Once the above goal is accomplished, what -- in very general terms -- would need to change to begin extending this authorization and access control to WAN / remote clients?)