In many access control problems, we have a single group of users who all need identical access rights to a particular set of files. We can easily solve such problems with group permissions. There are, however, cases where we can’t use file permission flags and a single user group to achieve Least Privilege. Consider a policy that requires these three conditions:
Block access to the user community in general.
Grant read-only access to one group of users.
Grant read/write access to a second group of users.
We can’t do this with Unix-style permission flags and achieve Least Privilege. We might come close if we grant read-only access to everyone and read/write access to the second group. We also might come ...