Security in Sun Management Center software is based on Java^TM security classes and SNMPv2 usec (SNMP version 2, user-based security model) security standards. This chapter discusses security features, users and groups, and their privileges.

The software offers the following layers of security:

• Only valid Sun Management Center users can operate the software.
• The software enables you to set security permissions or access control (ACL) categories and provides control at the administrative domain, group, host, and module levels.
• It authenticates user login and access control for individual managed properties.

This chapter describes the following:

• To Add Sun Management Center Users
• To Access ACL on a Module
• To Add a User-Defined Group to an ACL
• To Grant a User esadm, esops, or esdomadm Privileges
• To Delete Sun Management Center Users
• To Override Default Privileges

Access Control Categories

The software offers the following ACL categories:

• Admin, like the superuser (root) in UNIX
• Operator, as an operator who runs and monitors the system
• General, like guest access with read-only viewing privileges

To understand ACL categories, you first need to understand Sun Management Center software users and groups. The following sections explain users and groups.

Sun Management Center Users

Sun Management Center users are valid UNIX users on the server host. As such, the system administrator has to add valid users into the following file;
/var/opt/SUNWsymon/cfg/esusers.

If a user's name is not in this file, that user cannot log into the Sun Management Center software unless the user logs in as espublic or esmaster since these two user names are part of this file. (See the following section for more information.)

Public and Private Users

During the Sun Management Center server setup, the file /var/opt/SUNWsymon/cfg/esusers is created and the following users are added to the file automatically:

• espublic
  espublic is comparable to logging into a UNIX system as guest. It enables users to have "general" privileges. For example, when a user tries to access information from a session running in a different Sun Management Center server from their own, they are given access as espublic and are able to view the information as a guest only.
• esmaster
  esmaster is comparable to being superuser in UNIX. It automatically gives "admin" access privileges to users logging into the software.

The administrator has to add the additional list of user IDs for all other users who need to log into Sun Management Center software. All users in this file have "general" access privileges, by default, unless they are given additional privileges using the procedures described in "Using Access Control".

---

Note - The user names espublic and esmaster are not configurable during installation. They must specifically be defined as espublic and esmaster.

---

General Users

Any user who is part of the esusers file is known as a "general" user. Sun Management Center general users can, by default, perform the following functions:

• Log into the software
• View the administrative domains, hosts, and modules that are created
• View the events
• Trigger manual refreshes
• Run ad hoc commands
• Graph data

Sun Management Center Superuser

Implicitly, the Sun Management Center superuser belongs to all the groups described in the following sections. Sun Management Center superuser has "admin" privileges as described in "Sun Management Center Administrators or esadm".

Sun Management Center Groups

The following groups are created by default on the server host during the Sun Management Center server setup:

• esops
• esadm
• esdomadm

In addition, all the Sun Management Center users belong to a hypothetical group, called ANYGROUP.

The above groups must be defined on the machine where the Sun Management Center Configuration manager is running. They do not need to be defined on other machines. These groups are described in greater detail in the sections that follow.

---

Note - The preceding groups are defined in the /etc/group file. Note that although Sun Management Center esmaster and espublic users are configured as members of the preceding groups, they are not explicitly mentioned in the
/etc/group file.

---

Sun Management Center Operators or esops

Sun Management Center software users belonging to the group esops are usually referred to as operator users who run, monitor, and to some extent, configure some parameters on the managed systems. As you can see in the following list, esops can perform operations, including some that are allowed for general users:

• Disable or enable modules
• Set module active time window
• Set alarm limits
• Set rule parameters
• Run alarm actions
• Run adhoc commands
• Set refresh interval
• Acknowledge, delete, or fix events
• Enable or disable history logging
• Set logging history parameters

Sun Management Center Administrators or esadm

Software users belonging to the group esadm can perform "admin" operations, which are a superset of the operations that can be performed by operator users as described in "Sun Management Center Operators or esops". In addition to all the operations that "operator" users (esops) can perform, these "admin" users (esadms) can perform the following operations:

• Load or unload modules
• Set ACL users and groups
• View administrative domains, hosts, or modules

Sun Management Center Domain Administrators or esdomadm

The users belonging to the group esdomadm can perform the following "domain administrator" operations:

• Create administrative domains
• Create groups within administrative domains
• Add objects to groups or administrative domains
• View administrative domains, hosts, or modules

---

Note - Other than the privileges listed above, a user belonging to "esdomadm" is just a "general" user, unless configured otherwise.

---

Admin, Operator, and General Functions

TABLE 14-1 contains the different types of functions users can do by default.

This table is general in nature and applies to all modules. Individual modules may also have specific restrictions, which are under the control of the module.

TABLE  14-1   Domain Admin, Admin, Operator, and General Functions 

Function	Domain Admin	Admin	Operator	General
Load modules		x
Unload modules		x
Create administrative domains	x
Create groups within administrative domains	x	x
Add objects to groups or administrative domains	x	x
View administrative domains, hosts or modules	x	x	x	x
Set ACL users or groups		x
Disable or enable modules		x	x
Set module active time window		x	x
Set alarm limits		x	x
Set rule parameters		x	x
Run alarm actions		x	x
Run adhoc commands		x	x
Set refresh interval		x	x
Manually trigger a refresh		x	x	x
Enable or disable history logging		x	x
Set logging history parameters		x	x
Acknowledge, delete, or fix events		x	x
View events		x	x	x

In Sun Management Center software, the above categories maintain inclusive relationships or privileges. This means that, by default, a user who has esadm privileges can do anything that a user who has esops privileges can. But an administrator has the option to change the default permissions so that a user who has esops privileges can do more than a esadm user. Inclusive relationships means that these three groups, esops, esadm, and esdomadm, do not have any code enforcement behind them which makes one group more powerful than the other.

For more information on how to override default privileges, see "Overriding the Default Privileges".

Specifying Access Control

The administrators (esadm group) can specify ACL features for users and groups for the following:

• Administrative domains
• Groups within administrative domains
• Hosts
• Modules

Admin, Operator, and General Access

An ACL specification consists of establishing or defining one or more of the following:

• Administrator users and administrator groups
  A list of users and groups who can perform administrator operations. By default, they are esadm or esdomadm, wherever applicable.
• Operator users and operator groups
  A list of users and groups who can perform operator operations. By default, they are esops.
• General users and general groups
  A list of users and groups who can perform general operations. By default, this is a hypothetical group called ANYGROUP.
• Communities for administrators (SNMP)
  A list of SNMP communities that can perform admin operations using SNMP protocol.
• Communities for operators (SNMP)
  A list of SNMP communities that can perform operator operations using SNMP protocol.
• Communities for general (SNMP)
  A list of SNMP communities that can perform general operations using SNMP protocol.

Sun Management Center Remote Server Access

Users can access and view data from sessions running on remote Sun Management Center servers. When a user tries to gain access to such information, that user is provided access as espublic (guest) with read-only privileges. The behavior of Sun Management Center sessions running on different servers is defined in terms of each session's server context. See "Sun Management Center Server Context" for more information.

As a user, you can access and set up a different server context for a variety of reasons:

• To provide for separate security access privileges so that each server context could have different users and administrators and yet be accessible to each other
• To allow for physical separation between elements, as in the context of a wide area network (WAN)
• To increase performance since this would allow many hosts to be handled by one set of central components

By linking to a different server context, you can view the top level status of the objects in the other server context.

Sun Management Center Server Context

A server context is defined as agents running on many hosts, all sharing a single set of the following central components:

• Sun Management Center server
• Topology manager
• Event manager
• Trap handler
• Configuration manager

A server context is defined as a collection of Sun Management Center agents and the particular server layer to which the console is connected. Agents within the same server context can talk to each other. Agents in remote server contexts can talk using read-only privileges.

Every Sun Management Center component or agent is configured at installation to know the location of its Trap handlers and Event managers. Sun Management Center software identifies the Trap handlers and the Event managers by their IP or port addresses. This means that if you want to determine if you are within your server context or are accessing information from another server context, you need to know the respective IP or port addresses of the servers that you access. Different server contexts have different port numbers.

A remote server context refers to a collection of agents and a particular server layer with which the remote agents are associated.

FIGURE  14-1 Remote Server Context

An agent gets its security configuration from the server layer. For example:

• Agents within the same server context can talk to each other.
• Agents in remote server contexts can talk remotely using read-only privileges.
• Requests to agents in remote servers are performed as the Sun Management Center espublic user. This allows successful requests across servers, as long as Sun Management Center sessions on both servers have the same password for user espublic.
• Each Sun Management Center server maintains a list of agent IP or port address, to distinguish objects in its own context from objects on a different Sun Management Center server.

Limitations While Crossing Servers

Some security restrictions apply when a user tries to communicate across server contexts.

In the current Sun Management Center environment, you can access information from another server with a few limitations:

• If you try to access a different or remote server context, the server give you access with espublic user privileges. Thus you can access data but cannot modify or use the objects within the different server. You are restricted only to viewing the remote server objects. Therefore, the following consequences apply:
  • You can access other server contexts as long as the espublic user password is the same in all contexts.
  • You can view data in another context as user espublic, but you cannot perform control actions, such as setting alarm thresholds, and other similar functions.
• Edit functions work differently in a remote server. For example, you can copy and paste between contexts but cannot cut and paste between contexts.

---

Note - From a graphical user interface perspective, it is important to note that it may not be obvious that you are accessing a different server context. To identify if you are accessing a different server, check the server's IP port number or address in the Info tab of the Details window.

---

Using Access Control

The following sections describe how to perform the following key ACL functions:

• To Add Sun Management Center Users
• To Access ACL on a Module
• To Add a User-Defined Group to an ACL
• To Grant a User esadm, esops, or esdomadm Privileges
• To Delete Sun Management Center Users

To Add Sun Management Center Users

---

Note - By adding a user to the users list, the user has default privileges. See "Default Privileges" and "Overriding the Default Privileges" for more information.

---

To Access ACL on a Module

• Click the right mouse button on the selected object and highlight Attribute Editor from the pop-up menu.
• Select Tools Attribute Editor in the main console window.

FIGURE  14-2 Example of Security Fields in the Attribute Editor

---

Note - Use spaces or commas between multiple entries as illustrated in the entries for "Operator" under "Users."

---

The preceding example of the Attribute Editor with the Security tab selected contains the following field entries:

TABLE  14-2   Security Attributes

Attribute	Description
Administrator Users	A list of users. jim is a user who can perform administrator operations
Operator Users	A list of operators. john and others are users who can perform operator operations. Note that their entries are separated by one or more spaces
General Users	A list of general users. Here, nick and richie are users who can perform general operations
Administrator Groups	All the users belonging to esadm and administrators can perform administrator operations. By default, they are esadm or esdomadm, as applicable
Operator Groups	All users belonging to esops can perform operator operations
General User Groups	ANYGROUP is a hypothetical group that can perform general operations. All Sun Management Center users belong to this hypothetical group
Communities for Administrators	This field is empty denoting that there is no SNMP community that can perform admin operations using the SNMP protocol
Communities for Operators	This field is empty denoting that there is no SNMP community that can perform operator operations using the SNMP protocol
Communities for General Users	public is an SNMP community that can perform general operations using the SNMP protocol

---

Note - For more information on security privileges, see "Access Control Categories".

---

To Add a User-Defined Group to an ACL

# /usr/sbin/groupadd groupname

To Grant a User esadm, esops, or esdomadm Privileges

To Delete Sun Management Center Users

After a user is deleted from the list of Sun Management Center users, the user can no longer log into the Sun Management Center server. Make sure to delete that user from all the ACLs.

Default Privileges

Administrative domains are manipulated by the Topology manager. This section illustrates the default privileges for the Topology manager and for other agents and modules.

Topology Manager Default Privileges

The default privileges for Topology manager (where administrative domains are maintained) are listed in the following table.

TABLE  14-3   Default Privileges for Topology Manager

Topology Manager	Default Privileges
List of Admin Users
List of Operator Users
List of General Users
List of Admin SNMP Communities
List of Operator SNMP Communities
List of General SNMP Communities	public
List of Admin Groups	esdomadm
List of Operator Groups	esops
List of General Groups	ANYGROUP

Other Sun Management Center Component and Module Default Privileges

The default privileges for all other components and modules are listed in the following table.

TABLE  14-4   Sun Management Center Component and Module Default Privileges

Components/Modules	Default Privileges
List of Admin Users
List of Operator Users
List of General Users
List of Admin Groups	esadm
List of Operator Groups	esops
List of General Groups	ANYGROUP
List of Admin SNMP Communities
List of Operator SNMP Communities
List of General SNMP Communities	public

The keyword ANYGROUP is not a true UNIX group, but is a special keyword that means that "any user who can log into Sun Management Center software is given general access to the objects."

Overriding the Default Privileges

In Sun Management Center software, only administrators can override default privileges using the Attribute Editor to modify the ACL lists for that particular object.

The following section illustrates how to override default list privileges.

To Override Default Privileges

Create the following override files in the /var/opt/SUNWsymon/cfg directory: