User accounts¶
Principles¶
Users are either humans, or non-human users for services.
All users of a resource group are configured (e.g. visible via getent) on all hosts of a resource group.
The following attributes are globally unique: username and UID for users; group name and GID for groups.
The presence of an account alone does not imply any permission assignments.
Human users¶
The primary group is
users.The home directory is located in
/home/$USER.
Service users¶
The primary group is
service.Usernames usually start with
s-The home directory is located in
/srv/$USER.No SSH login is allowed by default to support the general data protection guidelines. In exceptional cases SSH access may be granted.
Human users that have the sudo-srv permission in a project are allowed to change to the service user (sudo -u <service_user_name> -i) and execute commands as a service user (sudo -u <service_user_name> <command>).
Permissions¶
Users own a separate set of permissions for every project they are a member of. Common permissions include:
- login
Perform interactive shell login on a machine (via SSH).
- manager
Add or remove other users from the project. Define permissions for users in the project.
- sudo-srv
Sudo into service users on a machine (password not necessary)