4 Replies Latest reply: Sep 13, 2013 1:59 PM by nychawk RSS

    How Do I Create User Account with "limited admin rights"?

    nychawk

      Hello;

       

      I would like to give a handful of users the ability to login to the DCC and enable them to add/delete/modify users and or hosts only, I.e. People and/or hosts.

      Is there anyway to:

      1.  Make a user with this admin capability?

      2.  Segregate the containers they are able to modify?

       

      Thanks to all in advance.

        • 1. Re: How Do I Create User Account with "limited admin rights"?
          Bobm53-Oracle

          Hello,

          I think that setting up an ACI could be an answer: you can specify both the subject/admin user dn, his/her rights and the target (like ou=People) where rights would be applied to.

          HTH

          • 2. Re: How Do I Create User Account with "limited admin rights"?
            nychawk

            BobM53, That would be needed regardless of what front end my users log in with, in my case I was looking for them to access the DIT via the DSCC/DCC, which is not possible.  Regardless, thank you for your reply, it is reassuring to know I am headed in the right direction.

             

            I am now looking towards installing something else like Apache Directory Studio, or some other GUI for users to manage the directory. 

             

            I will most likely create one or more ACI's to build groups, adding members to those groups as needed; each group being allowed to perform functions such as create users, lockout users, add/modify hosts, etc.

             

            I will most likely follow the steps outlined in:

            Directory Server Groups, Roles, and CoS - 11g Release 1 (11.1.1.7.0)

             

            Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?

             

            Thank you


            • 3. Re: How Do I Create User Account with "limited admin rights"?
              JimKlimov

              > Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?

               

              Use RBAC pfexec (or old-school sudo) to elevate privileges from ordinary accounts? Perhaps not to full root, but to specific actions (sudo, pfexec) or predefined RBAC profiles (for commands, SMF operator/management access, etc.)

               

              Ultimately you can forbid direct root logins, downright to making it a role account (instead of a user account) as may be default in Solaris 11 since OpenSolaris days?

               

              Or do it old-school - whoever uses the root account last, generates a new password, writes it down on paper scrib and stores it in a safe-box accessible only by admins? This usually works for systems where root is only for console use, and the locked safe-box is nearby...

               

              //Jim

              • 4. Re: How Do I Create User Account with "limited admin rights"?
                nychawk

                Thank you Jim, I will look into this.