Administering the Kerberos Server
The admin_acl_file File
Creating Administrative AccountsYou can set administrative permissions in admin_acl_file using one of the following methods:
•Using the HP Kerberos Administrator to set administrative permissions. When you change the administrative permissions of the principal, admin_acl_file is automatically updated.
•Editing admin_acl_file directly. To edit this file, you need to have the required system file administration rights.
| Using Restricted Administrator |
| The r, R, and Rr modifiers are used with the a, A, c, C, d, D, i, I, m, M, x, or |
| X permissions to permit administrative principals to use those options |
| only against certain principals. |
| How the r/R Modifiers Work |
| Consider the following factors while using the r, R, and Rr modifiers: |
| • The r modifier restricts only lowercase permissions. For instance, |
| administrative principals with ird permissions cannot delete |
| principals from their own realm that are included in |
| admin_acl_file. |
|
|
NOTE | The r modifier does not restrict |
| instance, administrative principals assigned with IMimr permissions |
| cannot modify principals in their own realm that are included in |
| admin_acl_file, but they are able to modify any principal in all |
| other realms supported by the primary security server. |
| • The R modifier restricts only uppercase letter permissions and only |
| |
| applies to realms other than the realm of the administrative |
| principal. For instance, administrative principals assigned the IRD |
| permissions cannot delete principals included in admin_acl_file |
| from any realm except their own. |
Chapter 8 | 117 |