Sun Management Center Security Concepts
Security in Sun Management Center software is based on JavaTM security classes and SNMPv2usec (SNMP version 2, user-based security model) security standards.
The software offers the following layers of security:
-
Only valid Sun Management Center users can operate the software.
-
The software enables you to set security permissions or access control list (ACL) categories. The security features provide control at the administrative domain, group, host, and module levels.
-
The software authenticates users and access control for individual managed properties.
Access Control Categories
The software offers the following ACL categories:
-
Admin, like the superuser (root) in UNIX
-
Operator, as an operator who runs and monitors the system
-
General, like guest access with read-only viewing privileges
To understand ACL categories, you first need to understand Sun Management Center software users and groups. The following sections explain users and groups.
Sun Management Center Users
Sun Management Centerusers are valid UNIX users on the server host. As such, the system administrator has to add valid users into the file /var/opt/SUNWsymon/cfg/esusers. If a user's name is not in this file, that user cannot log into the Sun Management Center software.
General Users
The administrator has to add the list of user IDs for all users who need to log into Sun Management Center software. All users in this file have general access privileges, by default, unless the users are given additional privileges using the procedures described in To Grant a User esadm, esops, or esdomadm Privileges.
Any user who is part of the esusers file is known as a general user. Sun Management Center general users can, by default, perform the following functions:
-
Log into the software
-
View the administrative domains, hosts, and modules that are created
-
View events
-
Trigger manual refreshes
-
Run ad hoc commands
-
Graph data
Sun Management Center Superuser
The Sun Management Center superuser automatically belongs to all the groups that are described in the following sections. The Sun Management Center superuser has administrator privileges as described in Sun Management Center Administrators or esadm.
Sun Management Center Groups
The following groups are created by default on the server host during the Sun Management Center server setup:
In addition, all the Sun Management Center users belong to a hypothetical group, called ANYGROUP.
The listed groups must be defined on the machine where the Sun Management Center server layer is running. These groups do not need to be defined on other machines. These groups are described in greater detail in the sections that follow.
Note –
The listed groups are defined in the /etc/group file.
Sun Management Center Operators or esops
Sun Management Center software users that belong to the group esops are usually operator users. These operators run, monitor, and to some extent, configure parameters on the managed systems. esops can perform operations, including some operations that are allowed for general users:
-
Disable or enable modules
-
Set alarm limits
-
Set rule parameters
-
Run alarm actions
-
Run ad hoc commands
-
Set the refresh interval
-
Acknowledge, delete, or fix events
-
Enable or disable history logging
-
Set logging history parameters
Sun Management Center Administrators or esadm
Software users that belong to the group esadm can perform administrator operations. Administrator operations are a superset of the operations that can be performed by operator users as described in Sun Management Center Operators or esops. In addition to all the operations that operator users (esops) can perform, these administrator users (esadm) can perform the following operations:
-
Load or unload modules
-
Set ACL users and groups
-
View administrative domains, hosts, or modules
Sun Management Center Domain Administrators or esdomadm
The users that belong to the group esdomadm can perform the following domain administrator operations:
-
Create administrative domains
-
Create groups within administrative domains
-
Add objects to groups or administrative domains
-
View administrative domains, hosts, or modules
Note –
Other than the privileges listed above, a user that belongs to esdomadm is just a general user, unless configured otherwise.
Administrator, Operator, and General Functions
The following table lists the different types of functions that users can do by default. A mark in a given cell indicates that the specified user can perform the listed function.
This table applies to all modules. Individual modules can also have specific restrictions, which are under the control of the module.
Table 18–1 Domain Admin, Admin, Operator, and General Functions|
Function |
Domain Admin |
Admin |
Operator |
General |
|---|---|---|---|---|
|
Load modules |
|
x |
|
|
|
Unload modules |
|
x |
|
|
|
Create administrative domains |
x |
|
|
|
|
Create groups within administrative domains |
x |
|
|
|
|
Add objects to groups or administrative domains |
x |
|
|
|
|
View administrative domains, hosts or modules |
x |
x |
x |
x |
|
Set ACL users or groups |
|
x |
|
|
|
Disable or enable modules |
|
x |
x |
|
|
Set module active time window |
|
x |
x |
|
|
Set alarm limits |
|
x |
x |
|
|
Set rule parameters |
|
x |
x |
|
|
Run alarm actions |
|
x |
x |
|
|
Run ad hoc commands |
|
x |
x |
|
|
Set the refresh interval |
|
x |
x |
|
|
Manually trigger a refresh |
x |
x |
x |
x |
|
Enable or disable history logging |
|
x |
x |
|
|
Set logging history parameters |
|
x |
x |
|
|
Acknowledge, delete, or fix events |
|
x |
x |
|
|
View events |
x |
x |
x |
x |
In Sun Management Center software, the above categories maintain inclusive relationships. This means that a user who has esadm privileges can do anything that a user who has esops privileges can do. An administrator can change the default permissions so that a user who has esops privileges can do more than a esadm user. Inclusive relationships mean that there is nothing in the software that makes one of esops, esadm, or esdomadm more powerful than either of the others.
For more information about how to override default privileges, see To Override Default Agent Privileges.
Default Privileges
Administrative domains are manipulated by the Topology manager. This section describes the default privileges for the Topology manager, for other agents, and for other modules.
Default Privileges for the Topology Manager
The default privileges for Topology manager, where administrative domains are maintained, are listed in the following table.
Table 18–2 Default Privileges for Topology Manager|
Topology Manager |
Default Privileges |
|---|---|
|
List of Admin Users |
|
|
List of Operator Users |
|
|
List of General Users |
|
|
List of Admin SNMP Communities |
|
|
List of Operator SNMP Communities |
|
|
List of General SNMP Communities |
public |
|
List of Admin Groups |
esdomadm |
|
List of Operator Groups |
esops |
|
List of General Groups |
ANYGROUP |
Other Sun Management Center Component and Module Default Privileges
The default privileges for components and modules not in the Topology manager are listed in the following table.
Table 18–3 Sun Management Center Component and Module Default Privileges|
Components and Modules |
Default Privileges |
|---|---|
|
List of Admin Users |
|
|
List of Operator Users |
|
|
List of General Users |
|
|
List of Admin Groups |
esadm |
|
List of Operator Groups |
esops |
|
List of General Groups |
ANYGROUP |
|
List of Admin SNMP Communities |
|
|
List of Operator SNMP Communities |
|
|
List of General SNMP Communities |
public |
The keyword ANYGROUP is not a true UNIX group, but is a special keyword that means that any user who can log into Sun Management Center software is given general access to the objects.
- © 2010, Oracle Corporation and/or its affiliates