102 IBM CSM to IBM Systems Director Transformation Guide
Most environments require that different users manage different system administration duties.
It is necessary to maintain separation of these duties so that no single system management
user can accidentally or maliciously bypass system security.
When using CSM
CSM relies on the traditional AIX user management approach: using a single system
administrator account named root that can perform all privileged system administration tasks
on the system. Reliance on a single user for all system administration tasks is often seen as a
problem in regard to the separation of duties. While a single administrative account is
acceptable in certain environments, many environments require multiple administrators, with
each administrator responsible for different system administration tasks.
In order to share the administration responsibilities with multiple users of the system, the
historical practice was to either share the password of the root user or create another user
with the same UID as the root user. This method of sharing system administration duties
presents security issues, since each administrator has complete system control and there is
no method to limit the operations that an administrator can perform. Since the root user is the
most privileged user, root users can perform unauthorized operations and can also erase any
audits of these activities, making it impossible to track these administrative actions.
As each user logs in to the system, the user supplies the user name of an account and a
password if the account has one. If the password is correct, the user is logged in to that
account and acquires the access rights and privileges of the account. The /etc/passwd and
/etc/security/passwd files maintain user passwords.
CFM can be used to manage user accounts by using symbolic links to add the password and
group files to the CFM repository. User accounts can be replicated to all nodes in the cluster.
The steps required to set this up are shown. If you use indexed password files, you can
distribute the .idx files using the same method of symbolic links, or you could write a .post
script to have CFM run /usr/sbin/mkpasswd after the initial files have been distributed.
You can also keep user accounts on your cluster nodes separate from the accounts defined
on your management server. To accomplish this, you would copy the actual password and
group files into the CFM repository instead of creating symbolic links. This method would
require additional work to define where the master files reside, and copy them to the
management server before running CFM. Identification and authentication are used to
establish a user's identity.
Most environments require that different users manage different system administration duties.
It is necessary to maintain separation of these duties so that no single system management
user can accidentally or maliciously bypass system security, With AIX 6.1 IBM added
additional security improvements with features like Role Based Access Control (RBAC),
Trusted AIX, and Trusted Execution, allowing system administrators to implement the much
needed user seperations.
When using Systems Director
In IBM Systems Director, users and user groups are based on users and groups that are
defined in the configured registry, which is associated with either the IBM Systems Director
Systems Management Guide operating system or Lightweight Directory Access Protocol
(LDAP). IBM Systems Director uses the user and group information for the purpose of
authentication and authorization.
IBM Systems Director does not provide the capability to create, update, or delete users or
groups in a user registry regardless of where the registry resides. To manage users or groups
in the user registry, use instead the appropriate tool associated with the registry in which the