This chapter describes how to add users and groups for SilverStream Security.
NOTE This chapter covers defining Silver Security users and groups, that is, users and groups known only to SilverStream. SilverStream also provides access to external security providers, including Windows NT, LDAP, NIS+, and certificate issuers. For information about setting up access to users and groups from these providers, see Accessing security provider systems.
You can define Silver Security users and groups. These users and groups are known only by SilverStream. For example, you might want to define groups based on your site's organization--such as Accounting, Sales, and so on--and assign users to those groups. The groups can contain Silver Security users as well as users defined in external security realms. Users can belong to multiple groups.
After you define Silver Security users and groups, you can define access to any directories or objects in the system based on the Silver Server users and groups. For example, you might want to set certain permissions for members of the Accounting group and other permissions for members of the Developers group.
For more information about using users and groups to set data permissions, see Setting up access control.
Predefined user and groups
SilverStream provides two predefined groups and one predefined user:
Administrator, with the password admin. By default, the Administrator has the Locksmith privilege, which includes the ability to add new users and groups. See Using the Locksmith privilege. | |
These groups have no special status; you can delete them.
Case sensitivity
User names within SilverStream are case-insensitive if the SilverMaster database is case-insensitive. If this is the situation, administrator and Administrator are considered the same name. If SilverMaster is case-sensitive, so are user names.
Passwords are always case-sensitive, so admin and Admin are considered different passwords.
NOTE For security purposes, you should change the administrator's password.
You can use the SMC to add Silver Security users, edit user properties, and add Silver Security groups.
NOTE You can also perform these tasks using SilverCmd. For more information, see SetUserGroupInfo in the SilverCmd chapter of the online Tools Guide.
You are asked whether you want to define a SilverStream user or a certificate user.
For information on defining certificate users, see Manually installing client certificates.
The New User form appears.
The Name field specifies the short name for the user. This is the name the user types in the Login box.
You can use the SMC to change user properties (for users defined in external security providers, the only editable property is the Locksmith privilege; for more information, see Using the Locksmith privilege).
Not allowing users to modify their properties
By default, users can change their own user properties. You can turn off this privilege. For more information about this privilege, see Enabling authentication.
The following dialog appears.
The "Fully qualified name" field corresponds to the Name field used to create the user. This field is not editable.
For more information, see Using the Locksmith privilege.
Creating groups helps streamline security administration by allowing you to categorize users within a larger context, such as a business organizational unit or a work role. A user can belong to one or more user groups within a SilverStream database, and can be granted access to objects by group or individual status.
The following dialog displays.
NOTE Your dialog might look different depending on which external security providers you have configured and the operating system used by the SilverStream Server. For more information, see Accessing security provider systems.
You can add users defined by external security providers, such as NT domains, to Silver Security groups.
The SilverStream-defined user Administrator has the Locksmith privilege by default. The Locksmith privilege allows users to do the following:
For information about defining security for the server and objects on the server, see Setting up access control.
Since the Locksmith privilege also allows you to set permissions, you can also give yourself server administrative permissions.
NOTE Locksmiths don't have all permissions just by virtue of being Locksmiths, but by being Locksmiths, they can give themselves any permissions they want.
NOTE Since the Locksmith privilege provides powerful access to server functions and properties, you should limit it to yourself and other trusted users.
Be careful not to delete all users with the Locksmith privilege: A user must have Locksmith privilege to grant it to someone else. So if no one has that privilege, it cannot be granted. If you find yourself in that situation, you can run SilverMasterInit with the -l command-line option to define a Locksmith account.
For more information, see Using the SilverMasterInit program.