Lots of variations ... just a few scenarios.

Scenario 1

Requirements: An power user has authored a set of scripts that system users need to be able to run and a group of auditors need to be able to inspect for control purposes. Access control should satisfy the following goals

  • All system users should be able to execute the scripts but not read or change them. General system users should not be able to list all the available scripts (i.e., they can execute scripts by name but not 'see the menu').
  • The power user author should maintain full control for adding, deleting, or updating the scripts (and be able to execute them).
  • A set of specified users needs to audit the scripts so in addition to being able to execute them they should also be able to read (but not change) them and be able to list all the available scripts.

A resolution: Have the script author place all the scripts in a folder created for just that purpose. Create a group for those who need audit privilege. Arrange access for files (i.e., scripts) in the folder to allow all users execute (only) privilege, audit users read and execute privilege, and establish the author as the files' owner with full privilege. On the folder itself prevent general system users for reading or updating folder contents but allow audit users the ability to enter the directory and list the directory but not add or delete items.

Implementation: Assume

Scenario 2

Auditors need an area to store, manage, and update documents related to a controls but general users should have no access to the documents, even to list their names. A power user has been assigned to help manage the documents (list, add, delete documents) but for control purposes should not be able to change documents.