Things to Consider When Creating a Security Policy

Consider the following when creating a security policy for using Solstice AdminSuite in a name service environment.

• Determine how much trust is needed.

  If your network is secure and you do not need to use authentication security, you can use Solstice AdminSuite applications with the default Level 1 security.

  If you need to enforce a higher level of security, you can set the security level of sadmind to Level 2.

• Determine which name service will be used.

  The name service determines where the security methods get information about user and group identities. The name services are designated in the /etc/nsswitch.conf file (see "Name Service Information").

• Decide which users have access to Solstice AdminSuite.

  Decide which users will perform administrative functions over the network with Solstice AdminSuite. List these users as members of group 14 accessed by the server system. The group 14 must be accessible from each system where administration data will be updated by Solstice AdminSuite. The group 14 can be established locally on each system or can be used globally within a name service domain, depending upon the policy established by the administrator.

• Determine global and local policies.

  The global policy affects all hosts in the network. For example, you can add members to group 14 in the NIS or NIS+ group file. Members of this group will have permission to perform administrative tasks on all server systems that list the network name service as the primary source of information. The name services are listed in the /etc/nsswitch.conf file. For more information about the nsswitch.conf file, see "Name Service Information".

  A user can establish a local policy that is different from the global policy by creating a group 14 in the local /etc/group file and listing the users who have access to the local system. The members of this group will have permission to manipulate or run Solstice AdminSuite methods on the user's local system.

Setting up a local policy does not disable a global policy. Name service access is determined by the nsswitch.conf file.

• Set up permissions for NIS+ management.

  You need the proper permissions when using Solstice AdminSuite to modify or update the NIS+ files. In addition to the permissions required by Solstice AdminSuite, the NIS+ security mechanisms impose their own set of access permissions. The NIS+ security mechanisms are described in NIS+ and FNS Administration Guide.

• Set up access for NIS management.

  If the NIS master server is running the Solaris 1.x operating system, a user must have a .rhosts entry on the NIS master server to modify the NIS files. If the NIS master server is running the Solaris 2.x operating system and the Name Services Transition Kit 1.2, then no entry is required if AdminSuite is already installed. The NIS updates will be authorized using the standard group 14 mechanism.