Primary administrators grant or deny rights to AdminSuite users through the Rights tab of the user properties dialog (double-click the user name in User Accounts to open the dialog box). A primary administrator (there can be more than one) has been granted all the rights listed on the Rights tab. He or she can grant or deny other users one or more of the rights listed on the tab. In addition, the primary administrator can elevate another administrator to primary administrator -- which includes granting the new primary administrator the right to grant rights to others.
Data is stored in local files when you manage a single server domain; in tables in a name service domain. Data in files is available to the single computer containing the files. Data in name service tables is available to all computers served by the name service.
Making Rights Available
In addition to granting rights, the primary administrator can specify where rights information is kept and where AdminSuite should look for those rights. For example, as a primary administrator, you might want to set up a single server, admin2, in the following way: administrators who log on to admin2 receive their rights from tables on seagull, the NIS server for the domain that includes admin2.
Here is how you would accomplish this:
Assume for this example that bio.stateu.edu is a NIS domain served by seagull. On seagull, you already added a user account for an administrator and gave him several rights -- including the right to manage serial ports.
1. Add admin2 to your list of domains, as a single server domain. Click Domain->Add/Delete Domain and follow the context sensitive help.
2. Log on to the newly-added single server domain, admin2. Click Domain->Switch Domain.
3. Specify where user rights information should be obtained. Click Domain->Security Policies. When the "Security Policies for admin2" dialog box opens, select the "Name Service first, then Server" option in the "User Rights on This Server" section.
When the new administrator logs on to admin2, AdminSuite will look for his rights in the NIS domain tables on seagull. If, for some reason, the NIS domain table are inaccessible, the primary administrator could still log on to admin2 as root.
Denying Rights
The primary administrator can also deny users rights to specific domains. For example, as a primary administrator, you have several administrators to whom you have assigned rights, allowing them to manage various AdminSuite components.
However, you want to allow only one of those administrators (barb4) to modify data on a server, called secret1, that contains very sensitive information. Here is how to accomplish this:
1. Add a single server domain, called secret1, to your list of domains. Click Domain->Add/Delete Domain and follow the context sensitive help.
2. Log on to the newly added domain, secret1. Click Domain->Switch Domain.
3. On secret1, add the user account for the administrator. Click Action->Add User. If this user already exists in a different domain, give the user account a different user name, barb5, for example, and require that the user create a password at first logon. This creates two user accounts for the same person, one is specific to secret1.
4. Open the properties dialog for barb5 and grant her the specific rights you want her to be able to exercise on secret1.
5. While still on the secret1 server, specify where rights information should be obtained for this administrator. Click Domain->Security Policies. When the "Security Policies for secret1" dialog box opens, select the "Server Only (secret1)" option from the "User Rights on This Server" section.
When administrators log on to secret1, their rights will be read from a local file on secret1. The only rights available for this particular server are for barb5. No other administrator will be able to change the data.