A SecretStore administrator can unlock locked SecretStores. To designate a SecretStore administrator, add that user's User object to the SecretStore Administrator List.
Also, you might want to add additional security. See Adding Advanced Security .
To designate a SecretStore Administrator:
In ConsoleOne, right-click the sssServerPolicy object or an sssServerPolicyOverride object, then click Properties.
Click Novell SecretStore, then select Administrators from the drop-down list.
Click Add, navigate to and click the desired User object, then click Select > OK > OK.
The user is now a SecretStore Administrator.
The following figure illustrates the SecretStore Administrator List:
Although the SecretStore administrator can unlock a user's SecretStore, that administrator can't read the user's passwords. Unlocking a user's SecretStore only lets the logged-in user regain access to passwords after a SecretStore lock. (A SecretStore lock occurs when an administrator changes a user's eDirectory password.)
A SecretStore administrator should not have "normal" network administrator rights. This caution prevents the administrator from resetting the user's password (as admin), unlocking the user's SecretStore (as SecretStore administrator), logging in as the user (with the reset password), and reading secrets.
To avoid bypassing enhanced protection, the two-administrator feature must be split between two or more administrators (one eDirectory administrator, one SecretStore administrator).
If you check the Enable Administrator Access to SecretStore check box, a SecretStore administrator can unlock a user's SecretStore. This is useful when a user forgets a password.
The first time that you add a user to the list, the Enable Administrator Access to SecretStore check box is checked. That user has access to SecretStore.
If you disable the setting and add users, the setting remains disabled until you check the check box.
For more information about this feature, see "Not Available " Displays for Last Admin Unlock TimeStamp .
SecretStore administrators can unlock a user's SecretStore. To prevent these administrators from misusing this option, we recommend that you use NMAS and specify a strong security label.
If Novell Modular Authentication ServiceTM (NMAS) is installed, a Security Label box displays on the SecretStore\Administrator page. This box contains the available security labels as defined by the NMAS snap-in. By selecting a label, you designate the level of security that you prefer. This option enables you to increase the security regarding SecretStore administrators.
After you define a security label on the sssServerPolicy object, a SecretStore Administrator must be logged-in with a session clearance that is equal to or greater than the security label. Otherwise, that Administrator can't unlock any user's SecretStore.