Administration
admin_acl_file
In either case, administrative principals can delete any principal from their own realm, but have restricted delete privileges in realms other than their own.
As another example, administrative principals assigned the IDRm or IDRidm permissions have restricted delete permissions in all other realms but not their own, but can modify and delete any principal in their own realm.
•The Rr modifiers restricts permissions for all principals in the admin_acl_file for all realms supported by the primary security server. For example, administrative principals assigned the IMRimr permission cannot modify principals included in the admin_acl_file in any realm, including their own. They can only modify principals that are not included in the admin_acl_file.
•The e, E, g, and G permissions are not affected by the r, R, and Rr modifiers.
•Administrative principals assigned icr or ICRicr are still able to change their own passwords using the administrative tools.
Permissions other than c and C are restricted for the restricted administrative principals. For instance, principals assigned with the imr permission are not able to modify their own principal accounts.
An administrative principal assigned the r or R in combination with e or E can use Administrator to remove the r modifier from their admin_acl_file entry. Do not assign these permission combinations. Some examples would be, ier, IER, IERr, or IEr.
•Administrative principals assigned the ic, icr, IC or ICR permissions are able to change principal attributes and extract service keys, in addition to changing principal passwords. According to the r and R modifier rules, restricted administrators can only make perform these actions for principal accounts not included in the admin_acl_file.
100 | Chapter 6 |