This chapter provides information about user and role management on the N1 System Manager.
This chapter contains the following sections:
This section provides information about how to set up and manage user security for the N1 System Manager.
The N1 System Manager provides a user account system that allows users to have role-based access to its main features (commands and browser interface areas) through a predefined, fixed set of privileges. A privilege is a predefined set of permissions enabling a user to perform operations within the N1 System Manager, such as installing OS distributions or deleting jobs. A role is a set of privileges to which a user has access. The N1 System Manager provides five system default roles, but customized roles can be created depending on your needs.
You can set up new N1 System Manager users at any time. When you install the Sun N1 System Manager software, the management server's superuser (root) account has all three system default roles automatically added to it. The Admin role is the account's default role. See Table 2–3 for details.
The following table provides a quick reference to all the tasks and associated commands used to manage users.
Table 2–1 Managing Users Quick Reference
Task |
Command Syntax |
---|---|
# useradd -s n1sh user # n1sh create user user role role |
|
# n1sh delete user user # userdel |
|
set user user defaultrole defaultrole |
|
show user user |
|
add user user role role |
|
remove user user role role |
|
show user user |
For more information about these commands, see Sun N1 System Manager 1.3 Command Line Reference Manual.
The N1 System Manager allows LDAP authentication using the Pluggable Authentication Module (PAM) subsystem. You can also use the LDAP PAM module on the management server if the management server is running either the Solaris OS or Linux.
You must be superuser (root) to add a new user account to the management server's operating system. The rest of the task must be performed by a user with the SecurityAdmin role, such as the superuser account used in this task.
When you create a new user for the N1 System Manager, you can also configure the user's login shell to be either a UNIX® shell or the n1sh shell. If the user's login is configured with the n1sh shell, the user automatically logs into the n1sh shell (N1–ok> prompt) when logging in to the management server.
Log in to the management server as superuser from a remote system.
$ ssh -l root management-server |
See To Access the N1 System Manager Command Line for details.
Add a new user account to the management server using the useradd command.
Provide the following configuration details:
Use the useradd -s option to configure the user's shell to automatically log into the n1sh shell. For example: useradd -s /opt/sun/n1gc/bin/n1sh
Use the passwd command to set the user's password.
Add /opt/sun/n1gc/bin to the user's path in order to access the n1sh command.
See the management server's useradd man page for more information.
Add the user to the N1 System Manager with one or more roles.
# n1sh -r SecurityAdmin create user user role role[,role...] |
The -r option enables you to run the n1sh command with the SecurityAdmin role, which is required for this step. See create user in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can also use the add user command to later add more roles.
You must be superuser (root) to delete an existing user account from the management server's operating system. The rest of the task must be performed by a user with the SecurityAdmin role, such as the superuser account used in this task.
Log in to the management server as superuser from a remote system.
$ ssh -l root management-server |
See To Access the N1 System Manager Command Line for details.
Delete the user from the N1 System Manager.
# n1sh -r SecurityAdmin delete user user |
The -r option enables you to run the n1sh command with the SecurityAdmin role, which is required for this step. See delete user in Sun N1 System Manager 1.3 Command Line Reference Manual.
(Optional) Delete the user account from the management server by using the management server's userdel command.
The following table provides a quick reference to all the tasks and associated commands used to manage roles.
Table 2–2 Managing Roles Quick Reference
Task |
Command Syntax |
---|---|
create role role privilege privilege |
|
delete role role |
|
add role role privilege privilege |
|
remove role role privilege privilege |
|
show role all |
|
show role role |
|
show user all |
|
show privilege all |
For more information about these commands, see Sun N1 System Manager 1.3 Command Line Reference Manual.
Table 2–3 lists the system default roles that are automatically provided by the N1 System Manager. These system default roles cannot be modified.
Table 2–3 System Default Roles
Role |
Privileges |
Description |
---|---|---|
Admin |
All privileges except SecurityAdmin privileges |
This role has all the privileges available on the N1 System Manager except those required for role management, which is provided by the SecurityAdmin role. |
ReadOnly |
All read-only (*Read) privileges except SecurityAdmin privileges |
This role allows the user to view only status (read-only) information about the N1 System Manager. |
SecurityAdmin |
RoleRead, RoleWrite, UserRead, UserWrite, PrivilegeRead |
This role only has the privileges required to perform role management operations, such as creating roles, adding privileges to roles, and adding roles to users. |
The following table lists the restricted mode roles that are automatically provided by the N1 System Manager. Unlike system default roles, these restricted mode roles can be modified, so that you can create customized roles for your users to fit your organizational and business needs. For more information, see Restricted Mode Capabilities.
Table 2–4 Restricted Mode Roles
Role |
Privileges |
Description |
---|---|---|
ProvAdmin |
RoleRead, RoleWrite, UserRead, UserWrite, PrivilegeRead |
The N1 System Manager is configured so that it only has access to the provisioning network. See Restricted Mode Capabilities for details. |
MgmtAdmin |
RoleRead, RoleWrite, UserRead, UserWrite, PrivilegeRead |
The N1 System Manager is configured so that it only has access to the management network. See Restricted Mode Capabilities for details. |
The security administrator is responsible for assigning restricted mode roles to users if the N1 System Manager is configured such that it operates in restricted mode. For information about restricted mode of operation, see Restricted Mode Capabilities.
When you install the Sun N1 System Manager software, the management server's superuser (root) account has the Admin, ReadOnly and SecurityAdmin system default roles automatically added to it, and the Admin role is the account's default role.
Users with the SecurityAdmin system default role (security administrators) are allowed to create new custom roles as needed in their organization, and can add one or more privileges to those roles. Security administrators can also add roles to users.
For example, you might need to restrict specific users to perform only OS update management on the managed servers. A security administrator could create a new role, called OSUpdateAdmin, and add the following privileges to it: GroupRead, JobRead, LogRead, ServerDeployUpdate, ServerRead, UpdateRead, and UpdateWrite. Then, the security administrator would add that role to those specific users. If OSUpdateAdmin is the only role added to the users, the users cannot access any part of the N1 System Manager other than the OS update management feature.
If the N1 System Manager is configured so that it only has access to the provisioning network, the administrator should assign only the ProvAdmin restricted mode role to non-root users. See Table 2–4 for details about privileges for this role.
If the N1 System Manager is configured so that it only has access to the management network, the administrator should assign only the MgmtAdmin restricted mode role to non-root users. See Table 2–4 for details about privileges for this role.
See Restricted Mode Capabilities for details about the operation of the N1 System Manager in restricted mode.
Non-root users with only the SecurityAdmin role are not allowed to extend their own privilege set, either by adding new privileges to the SecurityAdmin role or by adding new roles to their own user account. See Security Administrator Rules for more details.
The following tables list the set of predefined privileges that may be added to roles. To display an abbreviated form of this list, use the show privilege command.
Table 2–5 N1 System Manager Privileges for add, connect, and create Commands
Command |
Privileges Required |
---|---|
add group |
GroupRead |
add osprofile |
OSProfileWrite OSProfileRead UpdateRead |
add role |
RoleWrite |
add server |
ServerRead ServerExecute JobRead |
connect server |
ServerConsole ServerRead UpdateRead |
create firmware |
FirmwareWrite |
create group |
GroupRead GroupWrite |
create notification |
NotificationRuleWrite |
create os |
OSWrite JobRead UpdateRead UpdateWrite |
create osprofile |
OSProfileWrite OSProfileRead UpdateRead |
create role |
RoleWrite |
create update |
UpdateRead UpdateWrite |
create user |
UserWrite |
Table 2–6 N1 System Manager Privileges for delete, discover and load Commands
Command |
Privileges Required |
---|---|
delete firmware |
FirmwareRead FirmwareWrite |
delete group |
GroupRead GroupWrite |
delete job |
JobWrite JobRead |
delete notification |
NotificationRuleWrite |
delete os |
OSWrite |
delete osprofile |
OSProfileWrite |
delete role |
RoleWrite |
delete server |
ServerWrite JobRead |
delete update |
UpdateRead UpdateWrite |
discover |
Discover JobRead |
load group |
GroupRead FirmwareRead FirmwareWrite ServerDeployFirmware ServerDeployOS ServerDeployUpdate UpdateRead JobRead |
unload group |
GroupRead ServerDeployUpdate UpdateRead JobRead |
load server |
FirmwareRead FirmwareWrite ServerDeployFirmware ServerDeployOS ServerDeployUpdate JobRead |
unload server |
ServerDeployUpdate UpdateRead JobRead |
Table 2–7 N1 System Manager Privileges for remove, set, and reset Commands
Command |
Privileges Required |
---|---|
remove group |
GroupWrite |
remove osprofile |
OSProfileWrite |
remove role |
RoleWrite |
set firmware |
FirmwareRead FirmwareWrite |
set group |
GroupRead GroupWrite |
set group group refresh |
ServerWrite JobRead |
set notification |
NotificationRuleRead NotificationRuleTest NotificationRuleWrite |
set os |
OSWrite |
set osprofile |
OSProfileWrite OSProfileRead UpdateRead |
set role |
RoleWrite |
set server |
ServerExecute ServerRead UpdateRead JobRead |
set server server refresh |
ServerWrite JobRead |
reset server |
ServerWrite JobRead |
reset group |
ServerWrite JobRead |
Table 2–8 N1 System Manager Privileges for show, start and stop Commands
Command |
Privileges Required |
---|---|
show firmware |
FirmwareRead |
show group |
GroupRead |
show job |
JobRead |
show log |
LogRead |
show notification |
NotificationRuleRead |
show privilege |
None |
show role |
RoleRead |
show os |
OSRead |
show osprofile |
OSProfileRead UpdateRead |
show server |
ServerRead |
show update |
UpdateRead |
show user |
UserRead |
start group |
ServerWrite JobRead |
start notification |
NotificationRuleWrite |
start server |
ServerWrite JobRead |
stop group |
ServerWrite JobRead |
stop job |
JobWrite JobRead |
stop server |
ServerWrite JobRead |
For more information about these commands, see Sun N1 System Manager 1.3 Command Line Reference Manual.
Important rules for N1 System Manager security administrators are:
You can securely configure a non-root N1 System Manager user to have only security administrator privileges by adding only the SecurityAdmin role to the user. Such users cannot extend their own privilege set, either by adding new privileges to the SecurityAdmin role or by adding new roles to their own user account.
You cannot configure the root user to have only security administrator privileges.
You cannot configure a user to have only security administrator privileges if the user has the SecurityAdmin role and a custom role added to it. Such users could use their SecurityAdmin privileges to add any privileges to the custom role and therefore extend their privilege set.
Use the show privileges all command to list all of the valid privileges.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Create a new role with one or more privileges.
N1-ok> create role role [description description] privilege privilege[,privilege...] |
See create role in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can also use the add role command to add privileges to the role later.
A role cannot be deleted if it is currently added to one or more users. If you try to delete a role that is being used, an error occurs. To successfully delete a role, an authorized user must first remove the role from all users and then attempt the role deletion.
Use the show role all command to list all of the valid roles.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Delete a role.
N1-ok> delete role role |
See delete role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
Use the show privilege all command to list all of the valid privileges.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Add one or more privileges to a role.
N1-ok> add role role privilege privilege[,privilege...] |
See add role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
If you want to add most of the privileges to a role, you can use the all option to add all the privileges and then use the remove role command to remove the unrequired privileges.
Use the show role role command to list all of the privileges currently added to a role.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Remove one or more privileges from a role.
N1-ok> remove role role privilege privilege [,privilege...] |
See remove role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
List the available roles.
N1-ok> show role all |
Use the show role all command to list all of the valid roles.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
List the privileges that are added to a role.
N1-ok> show role role |
See show role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
The following example shows that the SecurityAdmin role has five privileges added to it.
N1-ok> show role SecurityAdmin Name: SecurityAdmin Privileges: UserWrite, RoleWrite, RoleRead, PrivilegeRead, UserRead |
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
List the roles that are added to all users.
N1-ok> show user all |
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
List the available privileges.
N1-ok> show privilege all |
This task is based on the normal configuration of the N1 System Manager, where the management server has access to both the provisioning and management networks.
Users are automatically logged in to the N1 System Manager with their assigned user default role. The user default role can be a custom role that has been assigned as a default role to the user, and does not have to be a system default role. System default roles are shown in Table 2–3.
The default role for the root user is automatically set to Admin after you reboot the management server or if you restart the N1 System Manager. You can still set the root user's default role to a different role, but the assignment is not permanent.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Show which roles are added to the user.
N1-ok> show user user |
You must have the SecurityAdmin role's privileges to run this command. See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
Set a user's default role.
N1-ok> set user user defaultrole defaultrole |
See set user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
If the N1 System Manager is running in normal configuration with access to both the provisioning and management networks, you can assign the Admin role as the default role for all users. Alternatively, you can create a custom role with the same privileges.
If the N1 System Manager is running in normal configuration with access to both the provisioning and management networks, any custom role you create for users must have the privileges necessary for full functionality of the N1 System Manager.
The following example shows how to set the SecurityAdmin role as the default role for the root user.
N1-ok> show user root Name: root Default Role: Admin Roles: SecurityAdmin, ReadOnly, Admin N1-ok> set user root defaultrole SecurityAdmin |
This task is based on the restricted mode configuration of the N1 System Manager, where the management server has access only to either the provisioning network or to the management network, but not to both networks.
Users are automatically logged in to the N1 System Manager with their assigned user default role. The user default role can be a custom role that has been assigned as a default role to the user, and does not have to be a system default role. System default roles are shown in Table 2–3.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Show which roles are added to the user.
N1-ok> show user user |
You must have the SecurityAdmin role's privileges to run this command. See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
Set a user's restricted mode role.
N1-ok> set user user defaultrole defaultrole |
See set user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
For the restricted mode in which the N1 System Manager has access only to the management network, use the following command:
N1-ok> set user user defaultrole MgmtAdmin |
For the restricted mode in which the N1 System Manager has access only to the provisioning network, use the following command:
N1-ok> set user user defaultrole ProvAdmin |
See Table 2–4 for details about privileges associated with these roles.
It is possible to delete or modify the ProvAdmin and MgmtAdmin restricted mode roles, but care should be taken that custom roles contain the correct privilege set for N1 System Manager to operate in restricted mode, for system stability. See Restricted Mode Capabilities for details.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Show a user's default role.
N1-ok> show user user |
See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
The following example shows that the root user has the Admin default role.
N1-ok> show user root Name: root Default Role: Admin Roles: SecurityAdmin, ReadOnly, Admin |
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Add one or more roles to a user.
N1-ok> add user user role role[,role...] |
See add user in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can use the show role all command to list all of the valid roles.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
Remove one or more roles from a user.
N1-ok> remove user user role role[,role...] |
See remove user in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can use the show user user command to list all the roles currently added to the user.
Log in to the N1 System Manager.
See To Access the N1 System Manager Command Line for details.
List the roles that are added to a user.
N1-ok> show user user |
See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.
The following example shows that the root user currently has the SecurityAdmin, ReadOnly, and Admin roles, and that the user has the Admin default role.
N1-ok> show user root Name: root Default Role: Admin Roles: SecurityAdmin, ReadOnly, Admin |