Administrator's Guide

CHAPTER 6

Setting Up Users and Groups

This chapter describes how to define Silver Security users and groups—users and groups known only to the Novell exteNd Application Server. It contains these sections:

NOTE: The application server also provides access to external security providers, including Windows, LDAP, NIS+, and certificate issuers. For information about setting up access to users and groups from these providers, see Accessing security provider systems.

About Silver Security users and groups

You can define Silver Security users and groups in many ways. For example, you might want to define groups based on your site's organization—such as Accounting, Sales, and so on—and assign users to those groups. The groups can contain Silver Security users as well as users defined in external security realms. Users can belong to multiple groups.

After you define Silver Security users and groups, you can define access to any directories or objects in the system based on the Silver Server users and groups. For example, you might want to set certain permissions for members of the Accounting group and other permissions for members of the Developers group.

For more information about using users and groups to set data permissions, see Authorization and access control.

Two predefined groups After installation, the application server provides two predefined groups: Administrators and Developers. Both groups initially contain only the server administrator. Use these groups as a starting point for creating your own users and groups. If you want to use names that differ from the predefined group names, you can rename and then delete them. For more information, see Managing Silver Security users and groups.

Group	Description
Administrators	After installation, the server administrator is the only member of this group. This person is initially the only one with the Locksmith privilege (which includes the ability to add new users and groups). See Using the Locksmith privilege. Add any users that have to perform administration tasks to this group. You can assign to users in this group all or a subset of administration permissions. To administer the server, users need to be assigned Modify Server Configuration access. See Administrative server permissions.
Developers	After installation, the only privilege users in this group have (compared to users not part of the Administrators group) is the ability to browse directory listings.

Group

Description

Administrators

After installation, the server administrator is the only member of this group. This person is initially the only one with the Locksmith privilege (which includes the ability to add new users and groups). See Using the Locksmith privilege.

Add any users that have to perform administration tasks to this group. You can assign to users in this group all or a subset of administration permissions. To administer the server, users need to be assigned Modify Server Configuration access. See Administrative server permissions.

Developers

After installation, the only privilege users in this group have (compared to users not part of the Administrators group) is the ability to browse directory listings.

Case sensitivity Silver Security user names and passwords are case sensitive as follows:

User names follow the SilverMaster database: they are case-insensitive if the SilverMaster database is case-insensitive (for example, administrator and Administrator are considered the same name), and they are case-sensitive if SilverMaster is case-sensitive.
Passwords are always case-sensitive. For example, admin and Admin are always considered different passwords.

For more information, see Default group permissions.

About your administrator account

Your administrator account can be assigned to any user recognized by the application server (Silver Security, Windows, LDAP, NIS+, or Certificate user).

When you installed the application server, you specified the user name and password for the application server administrator account. This account was used when the new SilverMaster database catalog was created.

You use the server administrator account to log in to the SMC to administer the application server. You also need to specify the server administrator account to run some of the SilverMasterInit command-line options.

The server administrator user account is part of the predefined Administrators group and has the Locksmith privilege. The Locksmith privilege provides Set Permissions privileges to any object on the server. Only accounts with the Locksmith privilege are able to assign Locksmith privilege to another account.

For more information, see Using the Locksmith privilege.

NOTE: The server administrator account, which restricts who can log in and administer the application server, is distinct from the database administrator account. The application server uses the database administrator account when connecting to the SilverMaster database. The only time you need to specify the SilverMaster database account is when you are running SilverMasterInit at the command line.

Procedure To create a new administrator account:

Log in to the SMC using the existing Administrator account.
Create a new administrator account or select an existing user from one of the security realms to be the administrator.
Click Properties and assign the new account Locksmith privilege.
Add the new administrator account to the Administrators group.
Close the SMC.
Restart the SMC and log in as the new administrator.
Verify (using the Properties dialog) that the new account has Locksmith privilege.
(Optional) Delete the older Administrator account.

Managing Silver Security users and groups

You can use the SMC to add Silver Security users, edit user properties, and add Silver Security groups.

NOTE: You can also perform these tasks using SilverCmd. For more information, see SetUserGroupInfo in the SilverCmd reference chapter of the Facilities Guide.

Adding Silver Security users

Procedure To add a user:

Start the SMC.
Select the Security icon from the toolbar.
Select Users & Groups.
Expand Silver Security and select Users.
Choose the Add New User icon at the bottom of the right pane:

You are asked whether you want to define a Silver user or a certificate user.
Select Silver user and click Next.

For information on defining certificate users, see Manually installing client certificates.

The New User panel displays:
Type the appropriate information in each field.

The Name field specifies the short name for the user. This is the name the user types in the Login box.
After completing the panel, click Finish.

Editing user properties

You can use the SMC to change user properties. (For users defined in external security providers, the only editable property is the Locksmith privilege; for more information, see Using the Locksmith privilege.)

Not allowing users to modify their properties By default, users can change their own user properties. You can turn off this privilege. For more information about this privilege, see Enabling authentication.

Procedure To edit user properties:

Start the SMC.
Select the Security icon from the toolbar.
Select Users & Groups.
Expand the Silver Security list of users.
Highlight a user name and choose Properties.

The following panel displays:
Modify any of the four editable fields.

The Fully Qualified Name field corresponds to the Name field used to create the user and is not editable.

If you have Locksmith privilege, you can also change whether the user you are modifying has Locksmith privilege.

For more information, see Using the Locksmith privilege.
Click OK.

Adding Silver Security groups

Creating groups helps streamline security administration by allowing you to categorize users within a larger context, such as a business organizational unit or a work role. A user can belong to one or more user groups, and can be granted access to objects by group or individual status.

Procedure To create a group:

Start the SMC.
Select the Security icon from the toolbar.
Select Users & Groups.
Expand Silver Security and select Groups.
Choose the Add new Silver Security group icon:

The following panel displays:
Enter a name and a description for the group.
Click OK.

Procedure To add users to a group:

Start the SMC.
Select the Security icon from the toolbar.
Select Users & Groups.
Expand Silver Security and expand Groups.
Select the Silver Security group to which you want to add users.
Choose the Add user to group icon:

The following panel displays:

NOTE: Your panel may look different depending on which external security providers you have configured and the operating system used by the application server. For more information, see Accessing security provider systems.
To add a user to the group, select the user in the left panel, then choose Add.

You can add users defined by external security providers to Silver Security groups.
- To remove a selected user, choose Clear.
- To remove all users in the group, choose Clear All.
When finished, click Close.

Using the Locksmith privilege

The Administrator user has the Locksmith privilege by default. The Locksmith privilege allows users to do the following:

Task	More information
Get and set data access permissions even if these permissions are denied elsewhere in the system (for example, if the user does not belong to a group for which set permission is allowed).	For information about defining security for the server and objects on the server, see Authorization and access control.
Read server property settings from the SilverMaster database, even if this permission is denied elsewhere in the system	Since the Locksmith privilege also allows setting permissions, Locksmiths can also give themselves server administrative permissions. NOTE: Locksmiths don't have all permissions just by virtue of being Locksmiths. But as Locksmiths they can give themselves any permissions they want.
Grant and revoke the Locksmith privilege for other users	See Editing user properties.

Task

More information

Get and set data access permissions even if these permissions are denied elsewhere in the system (for example, if the user does not belong to a group for which set permission is allowed).

For more information For information about defining security for the server and objects on the server, see Authorization and access control.

Read server property settings from the SilverMaster database, even if this permission is denied elsewhere in the system

Since the Locksmith privilege also allows setting permissions, Locksmiths can also give themselves server administrative permissions.

NOTE: Locksmiths don't have all permissions just by virtue of being Locksmiths. But as Locksmiths they can give themselves any permissions they want.

Grant and revoke the Locksmith privilege for other users

See Editing user properties.

NOTE: Since the Locksmith privilege provides powerful access to server functions and properties, limit the Locksmith privilege to trusted users.

Keep at least one Locksmith Be careful not to delete all users with the Locksmith privilege: a user must have Locksmith privilege to grant it to someone else. So if no one has Locksmith privilege, it cannot be granted.

If you find yourself in that situation, you can run SilverMasterInit with the –l command-line option to define a Locksmith account.

For more information, see Using the SilverMasterInit program.