Administrator's Guide
|
|
Administrator's Guide |
This chapter describes how to define Silver Security users and groups--users and groups known only to SilverStream.
NOTE SilverStream also provides access to external security providers, including Windows NT, LDAP, NIS+, and certificate issuers. For information about setting up access to users and groups from these providers, see Accessing security provider systems.
You can define Silver Security users and groups in many ways. For example, you might want to define groups based on your site's organization--such as Accounting, Sales, and so on--and assign users to those groups. The groups can contain Silver Security users as well as users defined in external security realms. Users can belong to multiple groups.
After you define Silver Security users and groups, you can define access to any directories or objects in the system based on the Silver Server users and groups. For example, you might want to set certain permissions for members of the Accounting group and other permissions for members of the Developers group.
For more information about using users and groups to set data permissions, see
Authorization and access control.
Two predefined groups After installation, the SilverStream server provides two predefined groups: Administrators and Developers. Both groups initially contain only the server administrator. Use these groups as a starting point for creating your own users and groups. If you want to use names that differ from the predefined group names, you can rename and then delete them, as described in the procedure later in this section.
|
Group |
Description |
|---|---|
After installation, the server administrator is the only member of this group. This person is initially the only one who has the Locksmith privilege, which includes the ability to add new users and groups. See Using the Locksmith privilege. Add users that you want to be able to perform administration tasks to this group. You can assign users in this group all or a subset of all administration permissions. To administer the server, users need to be assigned Modify Server Configuration access. See Administrative server permissions. | |
After installation, the only privilege this user has (compared to users not part of the Administrators group) is the ability to browse directory listings. |
Case sensitivity Silver Security user names are case-insensitive if the SilverMaster database is case-insensitive; for example, administrator and Administrator are considered the same name. If SilverMaster is case-sensitive, so are user names.
Passwords are always case-sensitive. For example, admin and Admin are always considered different passwords.
For more information, see
Default group permissions.
Your administrator account can be assigned to any user recognized by SilverStream security (SilverStream, NT, LDAP, NisPlus, or Certificate user).
When you installed the SilverStream server, you specified the user name and password for the SilverStream administrator account. This account was used when the new SilverMaster database catalog was created for SilverStream system management.
You use the server administrator account to log in to the SMC to administer the SilverStream server. You also need to specify the server administrator account to run the Designer and some of the SilverMasterInit command-line options.
The server administrator user account is part of the predefined Administrators group and has the Locksmith privilege. The Locksmith privilege provides Set Permissions privileges to any object on the server. Only accounts with the Locksmith privilege are able to assign Locksmith privilege to another account.
For more information, see
Using the Locksmith privilege.
NOTE The server administrator account, which restricts who can log in and administer the SilverStream server, is distinct from the database administrator account. The SilverStream server uses the database administration account when connecting to the SilverMaster database. The only time you need to specify the SilverMaster database account is when you are running SilverMasterInit at the command line.
To create a new administrator account:
Create a new administrator account or select an existing user from one of the security realms to be the administrator.
Click Properties and assign the new account Locksmith privilege.
Add the new administrator account to the Administrators group.
Verify (using the Properties dialog) that the new account has Locksmith privilege.
You can use the SMC to add Silver Security users, edit user properties, and add Silver Security groups.
NOTE You can also perform these tasks using SilverCmd. For more information, see SetUserGroupInfo in the SilverCmd Reference of the Facilities Guide of the server's Core Help.
Choose the New User 
icon at the bottom of the right pane.
You are asked whether you want to define a SilverStream user or a certificate user.
Select SilverStream user and click Next.
For information on defining certificate users, see
Manually installing client certificates.
The New User form appears.
Type in the appropriate information in each field.
The Name field specifies the short name for the user. This is the name the user types in the Login box.
You can use the SMC to change user properties (for users defined in external security providers, the only editable property is the Locksmith privilege; for more information, see Using the Locksmith privilege).
Not allowing users to modify their properties By default, users can change their own user properties. You can turn off this privilege. For more information about this privilege, see Enabling authentication.
Highlight a user name and choose the Property Inspector 
.
The following dialog appears.
Modify any of the four editable fields.
The Fully Qualified Name field corresponds to the Name field used to create the user. This field is not editable.
If you have Locksmith privilege, you can also change whether the user you are modifying has Locksmith privilege.
For more information, see
Using the Locksmith privilege.
Creating groups helps streamline security administration by allowing you to categorize users within a larger context, such as a business organizational unit or a work role. A user can belong to one or more user groups within a SilverStream database, and can be granted access to objects by group or individual status.
Select the SilverStream group to which you want to add users.
Choose the Add Users to Group 
icon.
The following dialog displays.
NOTE Your dialog might look different depending on which external security providers you have configured and the operating system used by the SilverStream server. For more information, see Accessing security provider systems.
To add a user to the group, select the user in the left panel, then choose Add.
You can add users defined by external security providers, such as NT domains, to Silver Security groups.
The SilverStream-defined user Administrator has the Locksmith privilege by default. The Locksmith privilege allows users to do the following:
Get and set data access permissions, even if these permissions are denied elsewhere in the system (for example, if the user does not belong to a group for which set permission is allowed).
For information about defining security for the server and objects on the server, see
Authorization and access control.
Read server property settings from the SilverMaster database, even if this permission is denied elsewhere in the system.
Since the Locksmith privilege also allows you to set permissions, you can also give yourself server administrative permissions.
NOTE Locksmiths don't have all permissions just by virtue of being Locksmiths; but by being Locksmiths, they can give themselves any permissions they want.
Grant and revoke the Locksmith privilege for other users. See Editing user properties.
NOTE Since the Locksmith privilege provides powerful access to server functions and properties, you should limit it to yourself and other trusted users.
Be careful not to delete all users with the Locksmith privilege: a user must have Locksmith privilege to grant it to someone else. So if no one has that privilege, it cannot be granted. If you find yourself in that situation, you can run SilverMasterInit with the -l command-line option to define a Locksmith account.
For more information, see
Using the SilverMasterInit program.
|
|
Administrator's Guide |
Copyright © 2001, SilverStream Software, Inc. All rights reserved.
icon. The following dialog appears.