Administration
admin_acl_file
FINANCE.BAMBI.COM realm name
* | all permissions |
To grant the principal, rabbit@FINANCE.BAMBI.COM, permission to add, list and inquire about any principal in the database, you can add the following line into the acl file:
rabbit@FINANCE.BAMBI.COM ali
Adding Entries to the admin_acl_file
You can add any principal name to the admin_acl_file as an entry with or without assigned administrative permissions.
To add a principal with assigned permissions, use the Principal
Information’s attribute tab of kadminl_ui. Refer to “Administrative
Permissions” on page 160.
Deciding which principal names to add to the admin_acl_file is a strategic decision. Consider the following:
•There should be only one admin_acl_file per primary server. All realms supported by the primary server are included in this file.
•Any principal name added to this file should have adequate protection, so that only the most trusted administrative principals can alter the principal account using the remote administration tool.
•Principals in the admin_acl_file that have assigned permissions can log on to the administrative tools, thereby becoming administrative principals.
The r, R, or Rr modifiers, when used with the a or A permission, restrict the principal names that can be added to the database. For instance, principals assigned the ‘IARiar’ permissions cannot add new principals that use an identifier/instance@REALM, which is already included in the admin_acl_file.
To take advantage of this restriction, you must consider the names you may want to add to the admin_acl_file.
98 | Chapter 6 |