I would like to give a handful of users the ability to login to the DCC and enable them to add/delete/modify users and or hosts only, I.e. People and/or hosts.
Is there anyway to:
1. Make a user with this admin capability?
2. Segregate the containers they are able to modify?
Thanks to all in advance.
BobM53, That would be needed regardless of what front end my users log in with, in my case I was looking for them to access the DIT via the DSCC/DCC, which is not possible. Regardless, thank you for your reply, it is reassuring to know I am headed in the right direction.
I am now looking towards installing something else like Apache Directory Studio, or some other GUI for users to manage the directory.
I will most likely create one or more ACI's to build groups, adding members to those groups as needed; each group being allowed to perform functions such as create users, lockout users, add/modify hosts, etc.
I will most likely follow the steps outlined in:
Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?
> Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?
Use RBAC pfexec (or old-school sudo) to elevate privileges from ordinary accounts? Perhaps not to full root, but to specific actions (sudo, pfexec) or predefined RBAC profiles (for commands, SMF operator/management access, etc.)
Ultimately you can forbid direct root logins, downright to making it a role account (instead of a user account) as may be default in Solaris 11 since OpenSolaris days?
Or do it old-school - whoever uses the root account last, generates a new password, writes it down on paper scrib and stores it in a safe-box accessible only by admins? This usually works for systems where root is only for console use, and the locked safe-box is nearby...