This discussion is archived
4 Replies Latest reply: Sep 13, 2013 11:59 AM by nychawk RSS

How Do I Create User Account with "limited admin rights"?

nychawk Newbie
Currently Being Moderated

Hello;

 

I would like to give a handful of users the ability to login to the DCC and enable them to add/delete/modify users and or hosts only, I.e. People and/or hosts.

Is there anyway to:

1.  Make a user with this admin capability?

2.  Segregate the containers they are able to modify?

 

Thanks to all in advance.

  • 1. Re: How Do I Create User Account with "limited admin rights"?
    bobm53 Explorer
    Currently Being Moderated

    Hello,

    I think that setting up an ACI could be an answer: you can specify both the subject/admin user dn, his/her rights and the target (like ou=People) where rights would be applied to.

    HTH

  • 2. Re: How Do I Create User Account with "limited admin rights"?
    nychawk Newbie
    Currently Being Moderated

    BobM53, That would be needed regardless of what front end my users log in with, in my case I was looking for them to access the DIT via the DSCC/DCC, which is not possible.  Regardless, thank you for your reply, it is reassuring to know I am headed in the right direction.

     

    I am now looking towards installing something else like Apache Directory Studio, or some other GUI for users to manage the directory. 

     

    I will most likely create one or more ACI's to build groups, adding members to those groups as needed; each group being allowed to perform functions such as create users, lockout users, add/modify hosts, etc.

     

    I will most likely follow the steps outlined in:

    Directory Server Groups, Roles, and CoS - 11g Release 1 (11.1.1.7.0)

     

    Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?

     

    Thank you


  • 3. Re: How Do I Create User Account with "limited admin rights"?
    JimKlimov Newbie
    Currently Being Moderated

    > Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?

     

    Use RBAC pfexec (or old-school sudo) to elevate privileges from ordinary accounts? Perhaps not to full root, but to specific actions (sudo, pfexec) or predefined RBAC profiles (for commands, SMF operator/management access, etc.)

     

    Ultimately you can forbid direct root logins, downright to making it a role account (instead of a user account) as may be default in Solaris 11 since OpenSolaris days?

     

    Or do it old-school - whoever uses the root account last, generates a new password, writes it down on paper scrib and stores it in a safe-box accessible only by admins? This usually works for systems where root is only for console use, and the locked safe-box is nearby...

     

    //Jim

  • 4. Re: How Do I Create User Account with "limited admin rights"?
    nychawk Newbie
    Currently Being Moderated

    Thank you Jim, I will look into this.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points