test

Sun N1 System Manager 1.2 Administration Guide

Introduction to N1 System Manager User Security

This section provides information about how to set up and manage user security for the N1 System Manager.

The following tasks are used to manage N1 System Manager users:

The following tasks are used to manage N1 System Manager roles:

The N1 System Manager provides a user account system that allows users to have role-based access to its main features (commands and browser interface areas) through a predefined, fixed set of privileges. A privilege is a predefined set of permissions enabling a user to perform operations within the N1 System Manager, such as installing OS distributions or deleting jobs. A role is a set of privileges to which a user has access. The N1 System Manager provides three system default roles, but customized roles can be created depending on your needs.

The following table lists the system default roles that are automatically provided by the N1 System Manager. These system default roles cannot be modified.

Table 1–1 System Default Roles

Role 

Privileges 

Description 

Admin

All privileges except SecurityAdmin privileges

This role has all the privileges available on the N1 System Manager except those required for role management, which is provided by the SecurityAdmin role.

ReadOnly

All read-only (*Read) privileges except SecurityAdmin privileges

This role allows the user to view only status (read-only) information about the N1 System Manager. 

SecurityAdmin

RoleRead, RoleWrite, UserRead , UserWrite, PrivilegeRead

This role only has the privileges required to perform role management operations, such as creating roles, adding privileges to roles, and adding roles to users. 

When you install the Sun N1 System Manager software, the management server's superuser (root) account has all three system default roles automatically added to it, and the Admin role is the account's default role.

Users with the SecurityAdmin role (security administrators) are allowed to create new roles as needed in their organization, which includes adding one or more privileges to those roles. Security administrators can also add roles to users.

For example, you might need to restrict specific users to perform only OS update management on the provisionable servers. A security administrator could create a new role, called OSUpdateAdmin, and add the following privileges to it: GroupRead, JobRead, LogRead, ServerDeployUpdate, ServerRead, UpdateRead, and UpdateWrite. See Table 1–2 for details about privileges. Then, the security administrator would add that role to those specific users. If OSUpdateAdmin is the only role added to the users, the users would not be able to access any part of the N1 System Manager other than the OS update management feature.

Note –

Non-root users with only the SecurityAdmin role are not allowed to extend their own privilege set, either by adding new privileges to the SecurityAdmin role (which cannot be modified) or by adding new roles to their own user account. See Security Administrator Rules for more details.

The following table lists the set of predefined privileges that may be added to roles. To display an abbreviated form of this list, use the show privilege command.

Table 1–2 N1 System Manager Privileges

Command 

Privileges Required 

add group

GroupRead

GroupWrite

add osprofile

OSProfileWrite

add role

RoleWrite

add server

ServerWrite

connect server

ServerConsole

create firmware

FirmwareWrite

create group

GroupRead

GroupWrite

create notification

NotificationRuleRead

NotificationRuleWrite

create os

OSWrite

create osprofile

OSProfileWrite

create role

RoleWrite

create update

UpdateRead

UpdateWrite

create user

UserWrite

delete firmware

FirmwareRead

FirmwareWrite

delete group

GroupRead

GroupWrite

delete job

JobWrite

delete notification

NotificationRuleRead

NotificationRuleWrite

delete os

OSWrite

delete osprofile

OSProfileWrite

delete role

RoleWrite

delete server

ServerWrite

delete update

UpdateRead

UpdateWrite

discover

Discover

JobRead

load group

GroupRead

FirmwareRead

FirmwareWrite

ServerDeployFirmware

ServerDeployOS

ServerDeployUpdate

UpdateRead

load server

FirmwareRead

FirmwareWrite

ServerDeployFirmware

ServerDeployOS

ServerDeployUpdate

remove group

GroupRead

GroupWrite

remove osprofile

OSProfileWrite

remove role

RoleWrite

set firmware

FirmwareRead

FirmwareWrite

set group

GroupRead

GroupWrite

set group group refresh

ServerRead

set notification

NotificationRuleRead

NotificationRuleTest

NotificationRuleWrite

set os

OSWrite

set osprofile

OSProfileWrite

set role

RoleWrite

set server

ServerExecute

set server server refresh

ServerRead

ServerWrite

show firmware

FirmwareRead

show group

GroupRead

show job

JobRead

show log

LogRead

show notification

NotificationRuleRead

show privilege

RoleRead

show role

RoleRead

show os

OSRead

show osprofile

OSProfileRead

UpdateRead

show server

ServerRead

show update

UpdateRead

show user

UserRead

start group

ServerExecute

ServerPower

start notification

NotificationRuleRead

NotificationRuleTest

start server

ServerPower

ServerExecute

stop job

JobWrite

stop group

ServerExecute

ServerPower

stop server

ServerExecute

ServerPower

unload group

GroupRead

ServerDeployUpdate

UpdateRead

unload server

ServerDeployUpdate

UpdateRead

For more information about these commands, see the Sun N1 System Manager 1.2 Command Line Reference Manual.

Security Administrator Rules

The following list provides important rules for N1 System Manager security administrators: