The install team creates the administrative roles (other than root) to be used at the site. The team assigns each role its rights profiles. Initial rights profiles are provided on the installation CD-ROM.
Prerequisite: If you are using a name service, the name service and home directory must be set up before you create the administrative roles secadmin, admin, and oper.
In previous releases, roles were local. In Trusted Solaris 8, roles (other than root) can be distributed, and are created by the install team. Profiles are hierarchical, so each role can be assigned a profile that includes other profiles.
In the root role, at label ADMIN_LOW
, invoke the Solaris Management Console action from the Application Manager.
See "To Initialize the SMC Server" if you are unsure of how to start the SMC server.
Select the appropriate toolbox.
See "To Select a Toolbox of the Appropriate Scope" for assistance.
Click Trusted Solaris Configuration, then double-click Users.
Enter the role password at the prompt.
Double-click Administrativ... (Administrative Roles).
If toolbox icons display as red stop signs, the toolboxes will not load. To load them, do Step 4.
Choose Add Administrative Role from the Action menu.
The Add Administrative Role wizard enables you to enter all values that are required for a role to work well. Values that you are not prompted to enter will get the default. If you want to view or modify all fields of a role, double-click the role after creating it.
Create the secadmin role to be the security administrator. Use the following table when creating the role.
The secadmin password, and all passwords, should be one that is not easy to guess, thus reducing the chance of an attacker gaining unauthorized access by attempting to guess passwords.
For all administrative roles make the account Always Available, and do not set password expiration dates.
Tab |
Role Field |
(Recommended) Value |
---|---|---|
Role Name |
Role name |
secadmin |
Full Name |
Security Administrator |
|
|
Description |
No proprietary info here. |
|
Role ID Number |
>=100 |
|
Role shell |
Administrator's Bourne (profile shell) |
|
Create a role mailing list |
checked |
Password |
Password and confirm |
Assign a password of at least 6 alphanumeric characters. |
Rights |
Available and Granted |
Rights Security |
Home Directory |
Server |
home directory server |
Path |
/mount_path |
|
Assign Users |
Add and Delete |
This will be automatically filled in when you assign a role to a user. |
After creating the role, select it and double-click it to modify it using information from the following table as a guide.
Table 3-3 secadmin Values in Properties/Modify Dialog
Tab |
Role Field |
(Recommended) Value |
---|---|---|
Password |
Set password by Type in or Choose from list |
(Set in Table 3-2.) |
|
Update password by Choose from list or Type in |
|
Group |
Available Groups |
|
Trusted Solaris Attributes |
Minimum Label: Edit |
Default value is correct. |
|
Clearance: Edit |
Default value is correct. |
|
View: External or Internal |
The default value is External. |
|
Label: Show or Hide |
If your site is a no-label site, choose Hide. |
|
Lock account ... |
Default value, No, is correct. |
Audit |
Excluded and Included |
Set flags per site security policy |
Using the preceding tables as a guide, create the following roles with unique IDs:
Role Name |
Granted Rights |
---|---|
admin |
System Administrator |
primaryadmin |
Primary Administrator |
oper |
Operator |
You must create the administrative roles before you create the users, since you will assign a role to each user.
Return to the procedure and chapter you are working from.