Defining an Authorized User Object

In examples, the names of authorized users, proxy users, and other user naming items are often different for purposes of clarity and illustration.

You can create and manage the authorized user and proxy user objects through the administration GUI and the command line interface. This section describes the attributes of these objects and their manipulation using the command line.

The authorized user object contains the following items:

• name  name of the entity (1 to 255 characters)

• enabled | disabled - The flag for the entire object. If disabled, authentication of the associated user is always denied. The default is enabled.

• password={ pwitem } (optional) - A simple-text password for this user.

• securid={ siditem } (optional) - A SecurID mapping for this user.

• real_name="rnstr" (optional) - A demographic string that can be used to identify the person in a more readable form.

• contact_info="cistr" (optional) - A demographic string that can be used to automate contact with the person (for example, electronic mailbox address).

• description="descstr" (optional) - A demographic string that can be used to store other notations about the person.

  ---

  Note -

  Either a password item or securid item or both must be present for any authorized user object.

  ---

The password= and securid= items define authentication methods for the authorized user.

The password= item has the following subitems:

• passwd - The plaintext password string. It is either empty ("") or it contains a one to eight-character password; if this field is not empty, then the next subitem (crypt_password=) does not appear.

• crypt_password=cryptpasswd (optional) - The encrypted version of the plaintext password string. If this subitem is present, the plaintext password string (above) is empty

• enabled | disabled - The flag for this simple-text password authentication method. If disabled, any password presented for authentication of this user is not compared against this subitem. The default is enabled.

The processing of passwd and crypt_password= subitems is special. When an authorized user object is first created (or whenever a new password is set for that user), the password can be presented in plaintext using the (nonempty) passwd subitem. Thereafter (for example, whenever the object is edited), the crypt_passwd= subitem can be used to retain a password without having to know (or retype) the plaintext form.

The encryption method used for these objects is identical to that used by Solaris to encrypt user passwords (those stored in /etc/shadow). This provides the ability to clone encrypted passwords from Solaris to SunScreen user descriptions without the SunScreen administrator needing to know the users' plaintext passwords. This also means that the content of the SunScreen authorized user database is maintained with file permissions that prevent access from all but root users of the SunScreen.

The securid= item has the following subitems:

• "securidname" - User login name associated with this users' SecurID token in the ACE/Server database.

• enabled | disabled - The flag for this SecurID authentication method. If disabled, any password presented for authentication of this user is not submitted to the ACE/Server. The default is enabled.

  ---

  Note -

  If both simple-text and SecurID methods exist in a single authorized user object, the simple-text method is presented first.

  ---