
User accounts¶
Principles¶
Users are either humans, or non-human users for services.
All users of a resource group are configured (e.g. visible via getent) on all hosts of a resource group.
The following attributes are globally unique: username and UID for users; group name and GID for groups.
The presence of an account alone does not imply any permission assignments.
Human users¶
The primary group is
users
.The home directory is located in
/home/$USER
.
Service users¶
The primary group is
service
.Usernames usually start with
s-
The home directory is located in
/srv/$USER
.No SSH login is allowed by default to support the general data protection guidelines. In exceptional cases SSH access may be granted.
Human users that have the sudo-srv permission in a project are allowed to change to the service user (sudo -u <service_user_name> -i) and execute commands as a service user (sudo -u <service_user_name> <command>).
Permissions¶
Users own a separate set of permissions for every project they are a member of. Common permissions include:
- login
Perform interactive shell login on a machine (via SSH).
- manager
Add or remove other users from the project. Define permissions for users in the project.
- sudo-srv
Sudo into service users on a machine (password not necessary)