Users, Groups, and Roles Overview

Before you set up Sun Management Center users and user groups, you should understand the types of management operations that are possible so you can assign these operations to the appropriate user classes. Careful planning of user groups and roles helps ensure proper configuration management, and data integrity and security of management information and system resources.

No user may gain access to Sun Management Center without first being explicitly identified in the master access file /var/opt/SUNWsymon/cfg/esusers. To grant access to Sun Management Center, the user name must be added to /var/opt/SUNWsymon/cfg/esusers. The user may then log into Sun Management Center using the user name and password.

When a user logs in, Sun Management Center uses PAM based authentication to authenticate users. Sun Management Center controls access and defines the user privileges based on the following functional roles:

• Domain Administrators – This role is the highest-level role, which permits members to create top-level domains in a server context and to assign privileges for other Sun Management Center users within these domains. The domain administrator can create customized configurations for specific topology environments by creating specific domains and assigning user privileges for those domains. Users are considered domain administrators if the users are members of the esdomadm UNIX user group.

• Administrators – This role is the administration role for all operations outside the topology system. Administrators can perform privileged operations, including the loading of modules and the configuration of managed objects and data properties. Administrators can also specify access control at the agent and module level. This control makes this role instrumental in the establishment and maintenance of entitlement policies. Users are considered administrators if the users are members of the esadm UNIX user group.

• Operators – This role allows system users to configure their own domains and topology containers. The operator role also allows the users to configure managed objects with respect to their data acquisition and alarms, and to view management information. Although operators may enable or disable management modules, operators cannot, by default, load modules or alter access control privileges. Operators therefore represent a class of user that can effectively use the product and fine-tune its operation but who cannot affect major configuration or architectural changes. Users are considered operators if the users are members of the esops UNIX user group.

• General Users – This role is for users who are not explicitly members of the above three groups. General users are not granted extensive privileges and can by default only view management information and acknowledge alarms. The general user role is well suited for first-level support, in which problem identification, re-mediation, and escalation are the primary goals.

In large organizations, the Sun Management Center security roles are likely to map directly onto existing systems administration and support functions. For others, the process could be more involved, as the mapping between a corporate function and a product role could be less clear. In some cases, assignment of all logical roles to a single user could be warranted.

Specification of privileges is flexible and does not need to be confined to the four Sun Management Center security roles.

Sun Management Center privileges can be explicitly specified at the domain, topology container, agent, and module levels. The privileges specification can reference any arbitrary UNIX user or group, with the groups named above being used only by convention. The Sun Management Center privileges groups allow the use of existing account configurations when assigning functional roles. Although naming explicit users when assigning privileges is not recommended, the use of UNIX groups can be convenient in environments where such UNIX groups are already established.

For further information on security roles, groups, and users, see Setting Up Users andChapter 18, Sun Management Center Security, in Sun Management Center 3.6.1 User’s Guide.