Chapter 6   Setting Up Users and Groups

This chapter describes how to add users and groups for SilverStream Security.

It contains sections on:

• About Silver Security users and groups

• Managing Silver Security users and groups

• Using the Locksmith privilege

NOTE   This chapter covers defining Silver Security users and groups, that is, users and groups known only to SilverStream. SilverStream also provides access to external security providers, including Windows NT, LDAP, NIS+, and certificate issuers. For information about setting up access to users and groups from these providers, see Accessing security provider systems.

About Silver Security users and groups   

You can define Silver Security users and groups. These users and groups are known only by SilverStream. For example, you might want to define groups based on your site's organization--such as Accounting, Sales, and so on--and assign users to those groups. The groups can contain Silver Security users as well as users defined in external security realms. Users can belong to multiple groups.

After you define Silver Security users and groups, you can define access to any directories or objects in the system based on the Silver Server users and groups. For example, you might want to set certain permissions for members of the Accounting group and other permissions for members of the Developers group.

    For more information about using users and groups to set data permissions, see Setting up access control.

Predefined user and groups

SilverStream provides two predefined groups and one predefined user:

Group	Predefined user in group
Administrators	Administrator, with the password admin. By default, the Administrator has the Locksmith privilege, which includes the ability to add new users and groups. See Using the Locksmith privilege.
Developers	Administrator

These groups have no special status; you can delete them.

Case sensitivity

User names within SilverStream are case-insensitive if the SilverMaster database is case-insensitive. If this is the situation, administrator and Administrator are considered the same name. If SilverMaster is case-sensitive, so are user names.

Passwords are always case-sensitive, so admin and Admin are considered different passwords.

NOTE   For security purposes, you should change the administrator's password.

Managing Silver Security users and groups   

You can use the SMC to add Silver Security users, edit user properties, and add Silver Security groups.

NOTE   You can also perform these tasks using SilverCmd. For more information, see SetUserGroupInfo in the SilverCmd chapter of the online Tools Guide.

Adding Silver Security users   

To add a user:

1. Invoke the SMC.

2. Select Security options.

3. Select the Users & Groups panel.

4. Expand Silver Security and select Users.

5. Choose the New User icon at the bottom of the right pane.

   You are asked whether you want to define a SilverStream user or a certificate user.

6. Select SilverStream user and click Next.

       For information on defining certificate users, see Manually installing client certificates.

   The New User form appears.

   

7. Type in the appropriate information in each field.

   The Name field specifies the short name for the user. This is the name the user types in the Login box.

8. After completing the form, click Finish.

Editing user properties   

You can use the SMC to change user properties (for users defined in external security providers, the only editable property is the Locksmith privilege; for more information, see Using the Locksmith privilege).

Not allowing users to modify their properties

By default, users can change their own user properties. You can turn off this privilege. For more information about this privilege, see Enabling authentication.

To edit user properties:

1. Invoke the SMC.

2. Select Security options.

3. Select the Users & Groups panel.

4. Expand the Silver Security list of users.

5. Highlight a user name and choose the Property Inspector .

   The following dialog appears.

   

6. Modify any of the four editable fields.

   The "Fully qualified name" field corresponds to the Name field used to create the user. This field is not editable.

7. If you have Locksmith privileges, you can also change whether the user you are modifying has Locksmith privileges.

       For more information, see Using the Locksmith privilege.

8. Click OK.

Adding Silver Security groups   

Creating groups helps streamline security administration by allowing you to categorize users within a larger context, such as a business organizational unit or a work role. A user can belong to one or more user groups within a SilverStream database, and can be granted access to objects by group or individual status.

To create a group:

1. Invoke the SMC.

2. Select Security options.

3. Select the Users & Groups panel.

4. Expand Silver Security and select Groups.

5. Choose the New Group icon. The following dialog appears.

   

6. Enter a name and a description for the group.

7. Click OK.

To add users to a group:

1. Invoke the SMC.

2. Select Security options.

3. Select the Users & Groups panel.

4. Expand Silver Security and expand Groups.

5. Select the SilverStream group to which you want to add users.

6. Choose the Add Users to Group icon.

   The following dialog displays.

   

   NOTE   Your dialog might look different depending on which external security providers you have configured and the operating system used by the SilverStream Server. For more information, see Accessing security provider systems.

7. To add a user to the group, select the user in the left panel, then choose Add.

   You can add users defined by external security providers, such as NT domains, to Silver Security groups.

8. To remove a selected user choose Clear.

9. To remove all users in the group choose Clear All.

10. When finished, click Close.

Using the Locksmith privilege   

The SilverStream-defined user Administrator has the Locksmith privilege by default. The Locksmith privilege allows users to do the following:

• Get and set data access permissions, even if these permissions are denied elsewhere in the system (for example, if the user does not belong to a group for which set permission is allowed).

      For information about defining security for the server and objects on the server, see Setting up access control.

• Read server property settings from the SilverMaster database, even if this permission is denied elsewhere in the system.

  Since the Locksmith privilege also allows you to set permissions, you can also give yourself server administrative permissions.

  NOTE   Locksmiths don't have all permissions just by virtue of being Locksmiths, but by being Locksmiths, they can give themselves any permissions they want.

• Grant and revoke the Locksmith privilege for other users. See Editing user properties.

NOTE   Since the Locksmith privilege provides powerful access to server functions and properties, you should limit it to yourself and other trusted users.

Be careful not to delete all users with the Locksmith privilege: A user must have Locksmith privilege to grant it to someone else. So if no one has that privilege, it cannot be granted. If you find yourself in that situation, you can run SilverMasterInit with the -l command-line option to define a Locksmith account.

    For more information, see Using the SilverMasterInit program.