Sun N1 System Manager 1.3 Discovery and Administration Guide

Chapter 2 Managing Users and Roles

This chapter provides information about user and role management on the N1 System Manager.

This chapter contains the following sections:

Introduction to User Security

This section provides information about how to set up and manage user security for the N1 System Manager.

The N1 System Manager provides a user account system that allows users to have role-based access to its main features (commands and browser interface areas) through a predefined, fixed set of privileges. A privilege is a predefined set of permissions enabling a user to perform operations within the N1 System Manager, such as installing OS distributions or deleting jobs. A role is a set of privileges to which a user has access. The N1 System Manager provides five system default roles, but customized roles can be created depending on your needs.

Managing Users

You can set up new N1 System Manager users at any time. When you install the Sun N1 System Manager software, the management server's superuser (root) account has all three system default roles automatically added to it. The Admin role is the account's default role. See Table 2–3 for details.

The following table provides a quick reference to all the tasks and associated commands used to manage users.

Table 2–1 Managing Users Quick Reference

Task 

Command Syntax 

To Add an N1 System Manager User

# useradd -s n1sh user
# n1sh create user user role role

To Delete an N1 System Manager User

# n1sh delete user user
# userdel

To Set a User's Default Role (Normal Configuration)

set user user defaultrole defaultrole

To Show a User's Default Role

show user user

To Add a Role to a User

add user user role role

To Remove a Role From a User

remove user user role role

To List the Roles Added to a Specific User

show user user

For more information about these commands, see Sun N1 System Manager 1.3 Command Line Reference Manual.

The N1 System Manager allows LDAP authentication using the Pluggable Authentication Module (PAM) subsystem. You can also use the LDAP PAM module on the management server if the management server is running either the Solaris OS or Linux.

ProcedureTo Add an N1 System Manager User

Before You Begin

You must be superuser (root) to add a new user account to the management server's operating system. The rest of the task must be performed by a user with the SecurityAdmin role, such as the superuser account used in this task.

When you create a new user for the N1 System Manager, you can also configure the user's login shell to be either a UNIX® shell or the n1sh shell. If the user's login is configured with the n1sh shell, the user automatically logs into the n1sh shell (N1–ok> prompt) when logging in to the management server.

Steps
  1. Log in to the management server as superuser from a remote system.


    $ ssh -l root management-server
    

    See To Access the N1 System Manager Command Line for details.

  2. Add a new user account to the management server using the useradd command.

    Provide the following configuration details:

    • Use the useradd -s option to configure the user's shell to automatically log into the n1sh shell. For example: useradd -s /opt/sun/n1gc/bin/n1sh

    • Use the passwd command to set the user's password.

    • Add /opt/sun/n1gc/bin to the user's path in order to access the n1sh command.

    See the management server's useradd man page for more information.

  3. Add the user to the N1 System Manager with one or more roles.


    # n1sh -r SecurityAdmin create user user role role[,role...]

    The -r option enables you to run the n1sh command with the SecurityAdmin role, which is required for this step. See create user in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can also use the add user command to later add more roles.

ProcedureTo Delete an N1 System Manager User

Before You Begin

You must be superuser (root) to delete an existing user account from the management server's operating system. The rest of the task must be performed by a user with the SecurityAdmin role, such as the superuser account used in this task.

Steps
  1. Log in to the management server as superuser from a remote system.


    $ ssh -l root management-server
    

    See To Access the N1 System Manager Command Line for details.

  2. Delete the user from the N1 System Manager.


    # n1sh -r SecurityAdmin delete user user
    

    The -r option enables you to run the n1sh command with the SecurityAdmin role, which is required for this step. See delete user in Sun N1 System Manager 1.3 Command Line Reference Manual.

  3. (Optional) Delete the user account from the management server by using the management server's userdel command.

Managing Roles

The following table provides a quick reference to all the tasks and associated commands used to manage roles.

Table 2–2 Managing Roles Quick Reference

Task 

Command Syntax 

To Create a Role

create role role privilege privilege

To Delete a Role

delete role role

To Add a Privilege to a Role

add role role privilege privilege

To Remove a Privilege From a Role

remove role role privilege privilege

To List the Available Roles

show role all

To List Privileges Added to a Role

show role role

To List the Roles Added to All Users

show user all

To List the Available Privileges

show privilege all

For more information about these commands, see Sun N1 System Manager 1.3 Command Line Reference Manual.

Table 2–3 lists the system default roles that are automatically provided by the N1 System Manager. These system default roles cannot be modified.

Table 2–3 System Default Roles

Role 

Privileges 

Description 

Admin

All privileges except SecurityAdmin privileges

This role has all the privileges available on the N1 System Manager except those required for role management, which is provided by the SecurityAdmin role.

ReadOnly

All read-only (*Read) privileges except SecurityAdmin privileges

This role allows the user to view only status (read-only) information about the N1 System Manager. 

SecurityAdmin

RoleRead, RoleWrite, UserRead, UserWrite, PrivilegeRead

This role only has the privileges required to perform role management operations, such as creating roles, adding privileges to roles, and adding roles to users. 

The following table lists the restricted mode roles that are automatically provided by the N1 System Manager. Unlike system default roles, these restricted mode roles can be modified, so that you can create customized roles for your users to fit your organizational and business needs. For more information, see Restricted Mode Capabilities.

Table 2–4 Restricted Mode Roles

Role 

Privileges 

Description 

ProvAdmin

RoleRead, RoleWrite, UserRead, UserWrite, PrivilegeRead

The N1 System Manager is configured so that it only has access to the provisioning network. See Restricted Mode Capabilities for details.

MgmtAdmin

RoleRead, RoleWrite, UserRead, UserWrite, PrivilegeRead

The N1 System Manager is configured so that it only has access to the management network. See Restricted Mode Capabilities for details.

The security administrator is responsible for assigning restricted mode roles to users if the N1 System Manager is configured such that it operates in restricted mode. For information about restricted mode of operation, see Restricted Mode Capabilities.

When you install the Sun N1 System Manager software, the management server's superuser (root) account has the Admin, ReadOnly and SecurityAdmin system default roles automatically added to it, and the Admin role is the account's default role.

Users with the SecurityAdmin system default role (security administrators) are allowed to create new custom roles as needed in their organization, and can add one or more privileges to those roles. Security administrators can also add roles to users.

For example, you might need to restrict specific users to perform only OS update management on the managed servers. A security administrator could create a new role, called OSUpdateAdmin, and add the following privileges to it: GroupRead, JobRead, LogRead, ServerDeployUpdate, ServerRead, UpdateRead, and UpdateWrite. Then, the security administrator would add that role to those specific users. If OSUpdateAdmin is the only role added to the users, the users cannot access any part of the N1 System Manager other than the OS update management feature.

See Restricted Mode Capabilities for details about the operation of the N1 System Manager in restricted mode.


Note –

Non-root users with only the SecurityAdmin role are not allowed to extend their own privilege set, either by adding new privileges to the SecurityAdmin role or by adding new roles to their own user account. See Security Administrator Rules for more details.


The following tables list the set of predefined privileges that may be added to roles. To display an abbreviated form of this list, use the show privilege command.

Table 2–5 N1 System Manager Privileges for add, connect, and create Commands

Command 

Privileges Required 

add group

GroupRead

add osprofile

OSProfileWrite

OSProfileRead

UpdateRead

add role

RoleWrite

add server

ServerRead

ServerExecute

JobRead

connect server

ServerConsole

ServerRead

UpdateRead

create firmware

FirmwareWrite

create group

GroupRead

GroupWrite

create notification

NotificationRuleWrite

create os

OSWrite

JobRead

UpdateRead

UpdateWrite

create osprofile

OSProfileWrite

OSProfileRead

UpdateRead

create role

RoleWrite

create update

UpdateRead

UpdateWrite

create user

UserWrite

Table 2–6 N1 System Manager Privileges for delete, discover and load Commands

Command 

Privileges Required 

delete firmware

FirmwareRead

FirmwareWrite

delete group

GroupRead

GroupWrite

delete job

JobWrite

JobRead

delete notification

NotificationRuleWrite

delete os

OSWrite

delete osprofile

OSProfileWrite

delete role

RoleWrite

delete server

ServerWrite

JobRead

delete update

UpdateRead

UpdateWrite

discover

Discover

JobRead

load group

GroupRead

FirmwareRead

FirmwareWrite

ServerDeployFirmware

ServerDeployOS

ServerDeployUpdate

UpdateRead

JobRead

unload group

GroupRead

ServerDeployUpdate

UpdateRead

JobRead

load server

FirmwareRead

FirmwareWrite

ServerDeployFirmware

ServerDeployOS

ServerDeployUpdate

JobRead

unload server

ServerDeployUpdate

UpdateRead

JobRead

Table 2–7 N1 System Manager Privileges for remove, set, and reset Commands

Command 

Privileges Required 

remove group

GroupWrite

remove osprofile

OSProfileWrite

remove role

RoleWrite

set firmware

FirmwareRead

FirmwareWrite

set group

GroupRead

GroupWrite

set group group refresh

ServerWrite

JobRead

set notification

NotificationRuleRead

NotificationRuleTest

NotificationRuleWrite

set os

OSWrite

set osprofile

OSProfileWrite

OSProfileRead

UpdateRead

set role

RoleWrite

set server

ServerExecute

ServerRead

UpdateRead

JobRead

set server server refresh

ServerWrite

JobRead

reset server

ServerWrite

JobRead

reset group

ServerWrite

JobRead

Table 2–8 N1 System Manager Privileges for show, start and stop Commands

Command 

Privileges Required 

show firmware

FirmwareRead

show group

GroupRead

show job

JobRead

show log

LogRead

show notification

NotificationRuleRead

show privilege

None

show role

RoleRead

show os

OSRead

show osprofile

OSProfileRead

UpdateRead

show server

ServerRead

show update

UpdateRead

show user

UserRead

start group

ServerWrite

JobRead

start notification

NotificationRuleWrite

start server

ServerWrite

JobRead

stop group

ServerWrite

JobRead

stop job

JobWrite

JobRead

stop server

ServerWrite

JobRead

For more information about these commands, see Sun N1 System Manager 1.3 Command Line Reference Manual.

Security Administrator Rules

Important rules for N1 System Manager security administrators are:

ProcedureTo Create a Role

Before You Begin

Use the show privileges all command to list all of the valid privileges.

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Create a new role with one or more privileges.


    N1-ok> create role role [description description] privilege privilege[,privilege...]

    See create role in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can also use the add role command to add privileges to the role later.

ProcedureTo Delete a Role

Before You Begin

A role cannot be deleted if it is currently added to one or more users. If you try to delete a role that is being used, an error occurs. To successfully delete a role, an authorized user must first remove the role from all users and then attempt the role deletion.

Use the show role all command to list all of the valid roles.

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Delete a role.


    N1-ok> delete role role
    

    See delete role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.

ProcedureTo Add a Privilege to a Role

Before You Begin

Use the show privilege all command to list all of the valid privileges.

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Add one or more privileges to a role.


    N1-ok> add role role privilege privilege[,privilege...]

    See add role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.


    Tip –

    If you want to add most of the privileges to a role, you can use the all option to add all the privileges and then use the remove role command to remove the unrequired privileges.


ProcedureTo Remove a Privilege From a Role

Before You Begin

Use the show role role command to list all of the privileges currently added to a role.

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Remove one or more privileges from a role.


    N1-ok> remove role role privilege privilege [,privilege...]

    See remove role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.

ProcedureTo List the Available Roles

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. List the available roles.


    N1-ok> show role all
    

ProcedureTo List Privileges Added to a Role

Before You Begin

Use the show role all command to list all of the valid roles.

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. List the privileges that are added to a role.


    N1-ok> show role role
    

    See show role in Sun N1 System Manager 1.3 Command Line Reference Manual for details.


Example 2–1 Listing Privileges Added to a Role

The following example shows that the SecurityAdmin role has five privileges added to it.


N1-ok> show role SecurityAdmin

Name:       SecurityAdmin
Privileges: UserWrite, RoleWrite, RoleRead, PrivilegeRead, UserRead

ProcedureTo List the Roles Added to All Users

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. List the roles that are added to all users.


    N1-ok> show user all
    

ProcedureTo List the Available Privileges

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. List the available privileges.


    N1-ok> show privilege all
    

ProcedureTo Set a User's Default Role (Normal Configuration)

This task is based on the normal configuration of the N1 System Manager, where the management server has access to both the provisioning and management networks.

Users are automatically logged in to the N1 System Manager with their assigned user default role. The user default role can be a custom role that has been assigned as a default role to the user, and does not have to be a system default role. System default roles are shown in Table 2–3.


Note –

The default role for the root user is automatically set to Admin after you reboot the management server or if you restart the N1 System Manager. You can still set the root user's default role to a different role, but the assignment is not permanent.


Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Show which roles are added to the user.


    N1-ok> show user user
    

    You must have the SecurityAdmin role's privileges to run this command. See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.

  3. Set a user's default role.


    N1-ok> set user user defaultrole defaultrole
    

    See set user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.

    If the N1 System Manager is running in normal configuration with access to both the provisioning and management networks, you can assign the Admin role as the default role for all users. Alternatively, you can create a custom role with the same privileges.

    If the N1 System Manager is running in normal configuration with access to both the provisioning and management networks, any custom role you create for users must have the privileges necessary for full functionality of the N1 System Manager.


Example 2–2 Setting a User's Default Role

The following example shows how to set the SecurityAdmin role as the default role for the root user.


N1-ok> show user root

Name:         root
Default Role: Admin
Roles:        SecurityAdmin, ReadOnly, Admin


N1-ok> set user root defaultrole SecurityAdmin

ProcedureTo Set a User's Role (Restricted Mode)

This task is based on the restricted mode configuration of the N1 System Manager, where the management server has access only to either the provisioning network or to the management network, but not to both networks.

Users are automatically logged in to the N1 System Manager with their assigned user default role. The user default role can be a custom role that has been assigned as a default role to the user, and does not have to be a system default role. System default roles are shown in Table 2–3.

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Show which roles are added to the user.


    N1-ok> show user user
    

    You must have the SecurityAdmin role's privileges to run this command. See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.

  3. Set a user's restricted mode role.


    N1-ok> set user user defaultrole defaultrole
    

    See set user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.

    • For the restricted mode in which the N1 System Manager has access only to the management network, use the following command:


      N1-ok> set user user defaultrole MgmtAdmin
      
    • For the restricted mode in which the N1 System Manager has access only to the provisioning network, use the following command:


      N1-ok> set user user defaultrole ProvAdmin
      

    See Table 2–4 for details about privileges associated with these roles.

    It is possible to delete or modify the ProvAdmin and MgmtAdmin restricted mode roles, but care should be taken that custom roles contain the correct privilege set for N1 System Manager to operate in restricted mode, for system stability. See Restricted Mode Capabilities for details.

ProcedureTo Show a User's Default Role

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Show a user's default role.


    N1-ok> show user user
    

    See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.


Example 2–3 Showing a User's Default Role

The following example shows that the root user has the Admin default role.


N1-ok> show user root

Name:         root
Default Role: Admin
Roles:        SecurityAdmin, ReadOnly, Admin

ProcedureTo Add a Role to a User

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Add one or more roles to a user.


    N1-ok> add user user role role[,role...]

    See add user in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can use the show role all command to list all of the valid roles.

ProcedureTo Remove a Role From a User

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. Remove one or more roles from a user.


    N1-ok> remove user user role role[,role...]

    See remove user in Sun N1 System Manager 1.3 Command Line Reference Manual for details. You can use the show user user command to list all the roles currently added to the user.

ProcedureTo List the Roles Added to a Specific User

Steps
  1. Log in to the N1 System Manager.

    See To Access the N1 System Manager Command Line for details.

  2. List the roles that are added to a user.


    N1-ok> show user user
    

    See show user in Sun N1 System Manager 1.3 Command Line Reference Manual for details.


Example 2–4 Listing the Roles That Are Added to a Specific User

The following example shows that the root user currently has the SecurityAdmin, ReadOnly, and Admin roles, and that the user has the Admin default role.


N1-ok> show user root

Name:         root
Default Role: Admin
Roles:        SecurityAdmin, ReadOnly, Admin