Authorized User Object Definition

The Authorized User and Proxy User objects can be created and managed by both the administration GUI and the command line interface. The administration GUI pages that manipulate these objects have already been elaborated in the administration GUI chapter. This section describes the attributes of these objects and their manipulation using the command line.

The Authorized User object contains the following items:

• name name of the entity -- 1-255 characters, not including enabled or disabled enablement flag for the entire object; if disabled, authentication of the associated user is always denied; default is enabled.

• password={ pwitem }-- (optional) a simple-text password for this user.

• securid={ siditem }-- (optional) a SecurID mapping for this user.

• real_name="rnstr" -- (optional) a demographic string that can be used to identify the person in a more readable form.

• contact_info="cistr"-- (optional) a demographic string that can be used to automate contact with the person (for example, electronic mailbox address).

• description="descstr" -- (optional) a demographic string that can be used to store other notations about the person.

  ---

  Note -

  Either a password or securid item, or both, must be present for any Authorized User object.

  ---

The password= and securid= items define authentication methods for the Authorized User.

The password= item has the following sub-items:

"passwd"-- the plain-text password string; should either be empty (for example, "") or contains a one to eight character password; if this field is non-empty, then the next sub-item (crypt_password=) should not occur.

crypt_password="cryptpasswd" -- (optional) the encrypted version of the plain-text password string; if this sub-item is present, then the plain-text password string (above) should be empty enabled | disabled enablement flag for this simple-text password authentication method; if disabled, any password presented for authentication of this user is not compared against this sub-item; the default is enabled.

The processing of passwd and crypt_password= sub-items is special. When an Authorized User object is first created (or whenever a new password is set for that user), the password can be presented in plain-text using the (non-empty) passwd sub-item. Thereafter (for example, whenever the object is edited), the crypt_passwd= sub-item can be used to retain a password without having to know (or retype) the plain-text form. The encryption method used for these objects is identical to that used by Solaris to encrypt user passwords (those stored in /etc/shadow). This provides the ability to clone encrypted passwords from Solaris to SunScreen EFS 3.0 user descriptions without the SunScreen EFS 3.0 administrator needing to know the users plain-text passwords. This fact also means that the content of the SunScreen EFS 3.0 Authorized User database is maintained with file permissions that prevent access from all but root users of the SunScreen EFS 3.0.

The securid= item has the following sub-items:

"securidname" -- User login name associated with this users SecurID token in the ACE/Server database enabled | disabled enablement flag for this SecurID authentication method; if disabled, any password presented for authentication of this user is not be submitted to the ACE/Server; the default is enabled.

If both simple-text and SecurID methods exist in a single Authorized User object, the simple-text method should be presented first.