Add Users to be Administrators

The install team in the role root creates at least two users, to assume the roles secadmin and admin. It is also useful to create a user who can assume the role root.

Where site security policy permits, you can choose to create one user who can assume more than one administrative role.

Prerequisite

The home directory server is either

• In communication with the NIS+ root master and the home directories are automounting, or

• The home directory server is the NIS+ root master.

To Create a User

1. On the home directory server, log in and assume the role root.

2. Open the User Manager with the NIS+ Naming Service option.

   ---

   Caution -

   Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.

   ---

3. Create a user who can assume the role admin.

   1. See Table 5-1 for the information to enter for a user.

      Make sure you enter information in every dialog.

   2. Read the Comments column for guidance.

      Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.

      Table 5-1 User Account Characteristics

      Dialog	Account Characteristic	Comments
      Identity	User name
      	User ID	(1001 or higher)
      	Primary groups	10
      	Secondary groups
      	Comment	No proprietary info here.
      	Login shell
      	User Type	Normal
      Password	Password	Assign a password of 8 alphanumeric characters.
      	Change dates, expiration dates, warnings
      	Change by Type in or Choose from list
      	Status	Open
      	Cred Table Setup	Yes, leave it checked.
      Home	Create home directory	Yes. In a multilevel system, a multilevel home directory will be created.
      	Home directory pathname	/mount_path/username
      	Server	home directory server
      	Skeleton path	Yes, use it.
      	Default permissions on home directory
      	Mail server
      	Cred?	Yes, leave it checked.
      	AutoHome setup	Yes, when networked; No, when non-networked.
      Labels	Clearance	not ADMIN_HIGH
      	Minimum Sensitivity Label	not ADMIN_LOW
      	Label View
      	SL visibility	If your site is a no-label site, choose Hide.
      	IL visibility
      Roles	Can assume role	secadmin
      Profiles	Can use profile	Enable Login, All...
      Idle	Lockscreen or logout
      	Time

4. Create another user, one who can assume the administrative role secadmin.

   ---

   Note -

   To ensure that someone can always log in, use the status Always Open for the secadmin role, and for the user who can assume the secadmin role.

   ---

5. You may choose to create a third user to assume the role root.

   These three users should each have at least the following profiles:

   • Enable Login - user can enable logins after a workstation reboot

   • All - user can run basic commands, such as ls

   After checking your site security policy, you may want to add the profile:

   • Convenient Authorizations - user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the workstation

6. Close the User Manager

• Setting up users is a two-role, trusted procedure. The Failed Cross Reference Formatin the role root should set up only the initial administrators.

• In a multilabel environment, users are set up with a useful file, Failed Cross Reference Format, from the Skeleton Path.

See Trusted Solaris User's Guide and "Managing User Accounts" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.