The purpose of this document is to describe the various levels of
administrator privilege which may be granted to a user on the AIX
systems. This level of access granted will depend upon who the user
is, what tasks the user needs to perform, and how often the user needs
to perform these tasks.
The levels of administrator privilege include:
- System Administrator
- Printer Management
- User Management
- sudo access
- ash group access
- "appl" ID (full access)
The "System Administrator" by default has
full access to all system resources, functions, and content. The user
ID used for this purpose is "root". Access to this login and
password should be strictly reserved for members of the Mt Xia
Opensystems Group. No one outside this group should be able to login to
any AIX machine as "root" or have access to the "root"
Application administrators will need the ability to manage and
enable/disable printers. This level of administration can be granted by
adding the user name to the "printq" group.
This does not provide any other system or application privileges and may
be granted to those application users who are AIX literate.
The system administrator(s) for each machine and members of the
information security group will require administrative privileges which
provide user management capabilities. These privileges will allow the
ability to create, modify, and remove users from a system. They will
also allow the ability to reset passwords, unlock a "
and reset a users failed login count.
From time-to-time vendors, contractors, consultants, and application
administrators may need "root" access to one or more AIX
machines. In order to provide this access, we must analyze and segment
the individual requirements and merits of each request.
For those users who need to run a small set of specific commands as
"root", they should be granted "
sudo" access. The
system administrator must configure "
sudo" access on each
machine and assign privileges to each user to run each required
"ash" Group Access
For those users who need to run a larger set of commands or an
undetermined set of commands as "root", they should be added to
the "ash" group. Members of this group are allowed to run the
"ash" shell which provides a "korn" shell with administrator or
"appl" ID (full access)
For those users who need full "root" access to one or more
machines, they should be assigned an "appl" user ID. This ID
provides "root" access to the machine, but does not reveal the
root password to these users. These users will login to a machine using
their normal user login ID, then "
su" to their assigned
"appl" account. The "appl" IDs have a two digit number
on the end just like normal user names. This allows for more than one
"appl" account on each machine and has the following form:
The "USER INFORMATION" field of each "appl" account should
contain information regarding who this account is assigned to and when
it was created. By default the appl accounts should automatically
expire after 30 days. If a longer duration is required, the requesting
user must specify a duration at the time the account is requested.