Effective accounts administration-local
My colleagues and I have been striving to find an effective method to create and maintain users/rights in a not so complex environments. That is to say a 10-20 servers with different rols which are accessed by several teams/admins and we need to keep thier access levels well in the realms of their area of work. This even include the junior admins who we want ot give read access to all the root area without them messing around or being able to geopradize the configs.
If their area of work is limited to cetain dirs this can be easily acheived with the etc/sudoers however in the larger scope of thier aspect it is not an efective solution. On the other hand you can not let them become root and get access to to the sensitive areas like etc/passwd or even worse change the ssh.confd configs.
What is the suitable way to acheive this and how can we have admins who are limited to view and no change level of access ?