Access Control Definitions and Limitations

The esadm group can specify ACL features for users and groups for the following components:

• Administrative domains

• Groups within administrative domains

• Hosts

• Modules

Admin, Operator, and General Access

An ACL specification consists of establishing or defining one or more of the following parameters:

• Administrator users and administrator groups – A list of users and groups who can perform administrator operations. By default, these users are esadm or esdomadm, wherever applicable.

• Operator users and operator groups – A list of users and groups who can perform operator operations. By default, these users are esops.

• General users and general groups – A list of users and groups who can perform general operations. By default, this category is a hypothetical group that is called ANYGROUP.

• Communities for administrators (SNMP) – A list of SNMP communities that can perform administrator operations that use SNMP.

• Communities for operators (SNMP) – A list of SNMP communities that can perform operator operations that use SNMP.

• Communities for general (SNMP) – A list of SNMP communities that can perform general operations that use SNMP.

Sun Management Center Remote Server Access

Users can access and view data from sessions that are running on remote Sun Management Center servers. When a user tries to gain access to such information, that user is provided access as a general user with read-only privileges. The behavior of Sun Management Center sessions that are running on different servers is defined in terms of each session's server context. See Sun Management Center Server Context and Security for more information.

As a user, you can access and set up a different server context for a variety of reasons:

• To enable each server context to have different users and different administrators, and yet remain accessible to each other

• To allow for physical separation between elements, as in the context of a wide area network (WAN)

• To increase performance by enabling many hosts to be handled by one set of central components

By linking to a different server context, you can view the top level status of the objects in the other server context.

Sun Management Center Server Context and Security

A server context is a collection of Sun Management Center agents and the particular server layer to which the agents are connected. The agents and hosts within a server context share a single set of the following central components:

• Sun Management Center server

• Topology manager

• Event manager

• Trap handler

• Configuration manager

Every Sun Management Center component or agent is configured at installation to know the location of its trap handlers and event managers. Sun Management Center software identifies the trap handlers and the event managers by their IP and port addresses. To determine whether you are within your server context, you need to know the respective IP and port addresses of the servers that you access. Different server contexts have different port numbers.

A remote server context refers to a collection of remote agents and a particular server layer with which the remote agents are associated.

An agent receives security configuration from the server layer. This information enables the agent to authenticate the management request that is sent to the agent. Then, the agent can perform access control on the requested operation as part of the management request.

Limitations When Crossing Servers

Some security restrictions apply when a user tries to communicate across server contexts.

In the current Sun Management Center environment, you can access information from another server with a few limitations:

• If you try to access a remote server context, the server give you general user access. Thus, you can access data but cannot modify or use the objects within the different server. You are restricted to viewing only the remote server objects.

• You can view data in another context as a general user, but you cannot perform control actions, such as setting alarm thresholds and other similar functions.

• Edit functions work differently in a remote server. For example, you can copy and paste between contexts. You cannot cut and paste between contexts.

In the console, the fact that you are accessing a different server context might not be obvious. To identify whether you are accessing a different server, check the server's IP port number or address in the Info tab of the Details window.