Users Tool: Getting Started

Users Tools: Getting Started

The first administrator to log in to the Solaris Management Console on a specific server must first decide whether to use Role-Based Access Control (RBAC), and then set up user and group accounts, based on that decision.

RBAC is an alternative to the all-or-nothing superuser model. It provides a means for granting users just the privileges needed to perform their jobs, through roles. Each role, which is a special user account, includes all appropriate privileges, and the user names of those who are permitted to assume that role. A user who assumes a role relinquishes his or her user identity, and takes on all the privileges of that role.

For more about roles, and how to plan for them, see the System Administration Guide: Security Services, Role-Based Access Control (Overview).

Choose Whether to Use RBAC

If you are that first administrator and, as prompted in the Login dialog box, you logged in as the root user, you have two choices for how to proceed.

Work Without RBAC

If you choose not to use RBAC at all, then continue working as root to create user accounts, groups, and mailing lists. All administrators will need root access to perform their jobs.

To use RBAC to a limited extent, continue as root user and set up some roles with lesser responsibilities, or assign minor rights directly to users. The advantage is that those roles and users can do their work without access to the root password. The next section, Work With RBAC, describes how to create roles, and you can use that information as a starting point.

Work With RBAC

If you choose to work with RBAC, you will need to do the following, as root user:

Set up your normal user account, if you do not already have one.
Create the role called Primary Administrator (a role with all the rights of the root user).
While creating the Primary Administrator role, assign the primary administrator right to the role you are creating.
Grant your own user account permission to assume the role of Primary Administrator. Then you can create additional, lesser roles.

Begin in the left (Navigation) pane of the Console by opening System Configuration and then Users.

Add Your Own User Account

(If you already have a user account on this server, proceed to "Create the Primary Administrator Role.")

Under Users, select User Accounts. Then click Action->Add User->With Wizard.

Step through the wizard to create a user account with your user name. Proceed to the next step to create the Primary Administrator role.
Create the Primary Administrator Role
Under Users, select Administrative Roles. Then click Action->Add Administrative Role.

Step through the wizard to create the Primary Administrator role, using the context help as a guide. Note the following entries:
- For the Role Name, enter Primary Administrator.
- When asked to assign rights to this role, select the Primary Administrator right and add it to the Granted Rights column.
- When asked to assign users to this role, type in your user name and add it to the list.

Set Up Accounts

Whether you are working as root user, or have created the Primary Administrator role, proceed to set up groups, user accounts, and mailing lists.

Add Groups, User Accounts, and Mailing Lists

Choose the appropriate Users tool for each task (User Accounts, Groups, Mailing Lists). The Action Menu in each tool provides an Add menu item and you should begin there.

Follow the context-sensitive help that appears when you select the appropriate wizard or dialog box. Add groups appropriate for your organization. By setting up mailing lists now, you can add future user accounts to those lists, as recipients.

Create User Templates

Once you have set up the basic set of users, consider creating user templates. Templates make it easier to create multiple users; a named collection of user properties becomes your starting point for adding new users.

Set Up Administrative Roles

Set up additional roles, as you did for yourself, except with more limited rights. Grant rights to each role and list the users who are entitled to take on each role. When users assume a role, they relinquish the properties of their own user account and take on the properties, including the rights, of the role.