test

Sun N1 System Manager 1.1 Administration Guide

Introduction to N1 System Manager User Security

This section provides information about how to set up and manage user security for the N1 System Manager.

The following tasks are used to manage N1 System Manager users:

The following tasks are used to manage N1 System Manager roles:

The N1 System Manager provides a user account system that allows users to have role-based access to its main features (commands and browser interface areas) through a predefined, fixed set of privileges. A privilege is a predefined set of permissions enabling a user to perform operations within the N1 System Manager, such as installing OS distributions or deleting jobs. A role is a set of privileges to which a user has access. The N1 System Manager provides three system default roles, but customized roles can be created depending on your needs.

The following table lists the system default roles that are automatically provided by the N1 System Manager. These system default roles cannot be modified.

Table 1–1 System Default Roles

Role 

Privileges 

Description 

Admin

All privileges except SecurityAdmin privileges

This role has all the privileges available on the N1 System Manager except those required for role management, which is provided by the SecurityAdmin role.

ReadOnly

All read-only (*Read) privileges except SecurityAdmin privileges

This role allows the user to view only status (read-only) information about the N1 System Manager. 

SecurityAdmin

RoleRead, RoleWrite, UserRead , UserWrite, PrivilegeRead

This role only has the privileges required to perform role management operations, such as creating roles, adding privileges to roles, and adding roles to users. 

When you install the Sun N1 System Manager software, the management server's superuser (root) account has all three system default roles automatically added to it, and the Admin role is the account's default role.

Users with the SecurityAdmin role (security administrators) are allowed to create new roles as needed in their organization, which includes adding one or more privileges to those roles. Security administrators can also add roles to users.

For example, you might need to restrict specific users to perform only OS update management on the provisionable servers. A security administrator could create a new role, called OSUpdateAdmin, and add the following privileges to it: GroupRead, JobRead, LogRead, ServerDeployUpdate, ServerRead, UpdateRead, and UpdateWrite. See Table 1–2 for details about privileges. Then, the security administrator would add that role to those specific users. If OSUpdateAdmin is the only role added to the users, the users would not be able to access any part of the N1 System Manager other than the OS update management feature.

Note –

Non-root users with only the SecurityAdmin role are not allowed to extend their own privilege set, either by adding new privileges to the SecurityAdmin role (which cannot be modified) or by adding new roles to their own user account. See Security Administrator Rules for more details.

The following table lists the set of predefined privileges that may be added to roles. To display an abbreviated form of this list, use the show privilege command.

Table 1–2 N1 System Manager Privileges

Privilege 

Description 

Commands 

Discover

Discover servers 

discover

FirmwareRead

List firmware updates 

show firmware

FirmwareWrite

Manage firmware updates 

create firmware

delete firmware

set firmware

GroupRead

List server groups 

show group

GroupWrite

Manage server groups 

create group

delete group

add group

remove group

set group

JobRead

List jobs 

show job

JobWrite

Delete or stop jobs 

delete job

stop job

LogRead

List event log 

show log

NotificationRuleRead

List notification rules 

show notification

NotificationRuleTest

Test a notification rule 

set notification notification test

NotificationRuleWrite

Manage notification rules 

create notification

delete notification

set notification

start notification

stop notification

OSProfileRead

List OS profiles 

show osprofile

OSProfileWrite

Manage OS profiles 

add osprofile

remove osprofile

create osprofile

delete osprofile

set osprofile

OSRead

List OS distributions 

show os

OSWrite

Manage OS distributions 

create os

delete os

set os

PrivilegeRead

List privileges 

show privilege

RoleRead

List roles 

show role

RoleWrite

Manage roles 

create role

delete role

add role

remove role

set role

ServerBoot

Reboot servers 

reset group

reset server

ServerConsole

Connect to server's serial console 

connect server

ServerDeployFirmware

Install firmware on servers 

load server server firmware

load group group firmware

ServerDeployOS

Install OS on servers 

load server server osprofile

load group group osprofile

ServerDeployUpdate

Install or uninstall OS updates on servers 

load server server update

load group group update

unload server server update

unload group group update

ServerExecute

Execute command on servers 

start server server command

start group group command

ServerPower

Power off and power on servers 

stop group

stop server

start group

start server

ServerRead

List and refresh servers 

show server

set group group refresh

set server server refresh

ServerWrite

Manage servers and management features 

add server server feature

delete server

UpdateRead

List OS updates 

show update

UpdateWrite

Add and remove OS updates 

create update

delete update

UserRead

List users 

show user

UserWrite

Manage users 

create user

delete user

add user

remove user

set user

For more information about these commands, see the Sun N1 System Manager 1.1 Command Line Reference Manual.

Security Administrator Rules

The following list provides important rules for N1 System Manager security administrators: