Also ... in a real-world corporate setting, it doesn't take too long to see the virtue of a centrally-managed arrangement such as one built on Kerberos or LDAP (nee OpenDirectory). You see, right now you're setting up one-of-a-kind rules in a one-of-a-kind place, probably with the intent of matching rules that exist somewhere-else for the same group of people, and the fundamental problem here can only get worse; more unmanageable.
If you have any sort of "substantial" number of rules to deal with here, and especially if you need to match "the settings that exist for the same people in other contexts," seriously consider centralizing that process. Linux, thanks to PAM, is perfectly capable of it.
There's actually a rather serious sort of vulnerability that comes from finding "the exception to the rule," and one of the classic places to do that is by seeking-out what is difficult-to-manage. "Perhaps it would be possible to worm into the Linux system and, from there, maybe be accepted by the rest of the system as actually being that person ..." If the Linux system, instead, conforms to the corporate-world by virtue of respecting the same authority that everyone else does, it will no longer present that vulnerability to the enterprise. This is an absolutely pure-human consideration, but, as such, it is maybe more-real than bits and bytes alone would suggest.
Last edited by sundialsvcs; 10-09-2013 at 09:21 AM.