Administration

admin_acl_file

Creating Administrative Accounts

You can set administrative permissions in the admin_acl_file using one of the following methods:

Using the Administrator to set administrative permissions. The admin_acl_file is automatically edited, when you change the administrative permissions of the principal.

Edit the admin_acl_file directly. To edit this file you must have the required system file administration rights.

Using Restricted Adminsitrator

The r, R, and Rr modifiers are used in combination with the a, A, c, C, d, D, i, I, m, M, or x, X permissions to permit administrative principals to use those options only against certain principals.

How the r/R Modifiers Work

There are several important considerations about using the r, R, and Rr modifiers:

The r modifier restricts only lower-case permissions. For instance, administrative principals assigned the ird permissions cannot delete principals from their own realm that are included in the admin_acl_file.

Note that the r modifier does not restrict upper-case permissions. For instance, administrative principals assigned the IMimr permissions cannot modify principals in their own realm that are included in the admin_acl_file, but are able to modify any principal in all other realms supported by the primary security server.

The R modifier restricts only upper-case letter permissions and only applies to realms other than the administrative principal’s realm. For instance, administrative principals assigned the IRD permissions cannot delete principals included in the admin_acl_file from any other realm except their own.

Note that IRDid is equivalent to the IRD permissions because the upper-case permissions (not including the r and R modifiers) apply to all realms.

Chapter 6

99

Page 99
Image 99
HP UX Kerberos Data Security Software manual Creating Administrative Accounts, Using Restricted Adminsitrator