The purpose of this document is to describe the various levels of administrator privilege which may be granted to a user on the AIX systems. This level of access granted will depend upon who the user is, what tasks the user needs to perform, and how often the user needs to perform these tasks.

The levels of administrator privilege include:

System Administrator

The "System Administrator" by default has full access to all system resources, functions, and content. The user ID used for this purpose is "root". Access to this login and password should be strictly reserved for members of the Mt Xia Opensystems Group. No one outside this group should be able to login to any AIX machine as "root" or have access to the "root" password.

Printer Management

Application administrators will need the ability to manage and enable/disable printers. This level of administration can be granted by adding the user name to the "printq" group. This does not provide any other system or application privileges and may be granted to those application users who are AIX literate.

User Management

The system administrator(s) for each machine and members of the information security group will require administrative privileges which provide user management capabilities. These privileges will allow the ability to create, modify, and remove users from a system. They will also allow the ability to reset passwords, unlock a "locked" account, and reset a users failed login count.


From time-to-time vendors, contractors, consultants, and application administrators may need "root" access to one or more AIX machines. In order to provide this access, we must analyze and segment the individual requirements and merits of each request.

"sudo" Access

For those users who need to run a small set of specific commands as "root", they should be granted "sudo" access. The system administrator must configure "sudo" access on each machine and assign privileges to each user to run each required command.

"ash" Group Access

For those users who need to run a larger set of commands or an undetermined set of commands as "root", they should be added to the "ash" group. Members of this group are allowed to run the "ash" shell which provides a "korn" shell with administrator or "root" privileges.

"apple" ID (full access)

For those users who need full "root" access to one or more machines, they should be assigned an "apple" user ID. This ID provides "root" access to the machine, but does not reveal the root password to these users. These users will login to a machine using their normal user login ID, then "su" to their assigned "apple" account. The "apple" IDs have a two digit number on the end just like normal user names. This allows for more than one "apple" account on each machine and has the following form:

The "USER INFORMATION" field of each "apple" account should contain information regarding who this account is assigned to and when it was created. By default the apple accounts should automatically expire after 30 days. If a longer duration is required, the requesting user must specify a duration at the time the account is requested.