The purpose of this document is to describe the various levels of administrator privilege which may be granted to a user on the AIX systems. This level of access granted will depend upon who the user is, what tasks the user needs to perform, and how often the user needs to perform these tasks.
The levels of administrator privilege include:
The "System Administrator" by default has full access to all system resources, functions, and content. The user ID used for this purpose is "root". Access to this login and password should be strictly reserved for members of the Mt Xia Opensystems Group. No one outside this group should be able to login to any AIX machine as "root" or have access to the "root" password.
Application administrators will need the ability to manage and enable/disable printers. This level of administration can be granted by adding the user name to the "printq" group. This does not provide any other system or application privileges and may be granted to those application users who are AIX literate.
The system administrator(s) for each machine and members of the
information security group will require administrative privileges which
provide user management capabilities. These privileges will allow the
ability to create, modify, and remove users from a system. They will
also allow the ability to reset passwords, unlock a "locked
" account,
and reset a users failed login count.
From time-to-time vendors, contractors, consultants, and application administrators may need "root" access to one or more AIX machines. In order to provide this access, we must analyze and segment the individual requirements and merits of each request.
sudo
" AccessFor those users who need to run a small set of specific commands as
"root", they should be granted "sudo
" access. The
system administrator must configure "sudo
" access on each
machine and assign privileges to each user to run each required
command.
For those users who need to run a larger set of commands or an undetermined set of commands as "root", they should be added to the "ash" group. Members of this group are allowed to run the "ash" shell which provides a "korn" shell with administrator or "root" privileges.
For those users who need full "root" access to one or more
machines, they should be assigned an "apple" user ID. This ID
provides "root" access to the machine, but does not reveal the
root password to these users. These users will login to a machine using
their normal user login ID, then "su
" to their assigned
"apple" account. The "apple" IDs have a two digit number
on the end just like normal user names. This allows for more than one
"apple" account on each machine and has the following form:
The "USER INFORMATION" field of each "apple" account should contain information regarding who this account is assigned to and when it was created. By default the apple accounts should automatically expire after 30 days. If a longer duration is required, the requesting user must specify a duration at the time the account is requested.