HPE Community
Operating System - HP-UX
1835947 Members
3371 Online
110088 Solutions
New Discussion

Restricting SAM

 
SOLVED
Go to solution
Dave Forber
Occasional Advisor

‎08-17-2004 09:10 PM

‎08-17-2004 09:10 PM

Restricting SAM

I want to set up a user id with specific rights to users within sam, eg modify password, deactivate, active. I don't want them to have access to any other action.

I've built a restricted sam environment so they have access to users, but I can't figure out how to restrict individual actions once they're in.

Any pointers?

0 Kudos
Reply
5 REPLIES 5
Shaikh Imran
Honored Contributor

‎08-17-2004 09:22 PM

‎08-17-2004 09:22 PM

Re: Restricting SAM

Hi,

Could you give a little more input for
exactly what you are looking for.
Because what i know is if i have to
allow a user to use sam i can use
#sam -r
And allow the user to use sam & and there itself i can grant the user access to a
particular sam area e.g. User & group management or printers management..etc..,,

Regards,




I'll sleep when i am dead.
0 Kudos
Reply
Sanjay Kumar Suri
Honored Contributor

‎08-17-2004 09:23 PM

‎08-17-2004 09:23 PM

Re: Restricting SAM

I don't think individual actions can be restricted.

After sam -r --> Group ot sub-group can be enabled/disabled through Action menu option.

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Reply
Dave Forber
Occasional Advisor

‎08-17-2004 09:37 PM

‎08-17-2004 09:37 PM

Re: Restricting SAM

Further info:

I've used the -r option to create the restricted sam for their id. They currently only have access to 'Performance Monitors' and 'Users' within 'Accounts for Users and Groups'. This is now where it starts to go wrong.

They now have a list of users (as they should), but with full menu access to 'View' 'Options' and 'Accounts'. I would like to remove their access to 'View' and 'Options', and restrict their use within 'Accounts' so that they can only change passwords, de-activate, and re-activate accounts.

Thanks.

0 Kudos
Reply
Sanjay Kumar Suri
Honored Contributor

‎08-17-2004 09:43 PM

‎08-17-2004 09:43 PM

Re: Restricting SAM

I don't think that is possible.

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎08-18-2004 02:18 AM

‎08-18-2004 02:18 AM

Solution

Re: Restricting SAM

I agree with the other two guys. I was trying to find a way to restrict user administrators to a very small set of actions, but SAM didn't appear to provide that capability. I think your best bet is to implement sudo for the password admins and just give them access to the passwd program in the configuration with exactly the options you want them to run, making sure to protect your system accounts from being tampered with by them. Check out the thread below on the solution I finally came up with for my situation. It might give you an idea how to proceed with your specific needs. It would probably be a good idea to create a little wrapper script to provide a text menu for the password admins to use so you're sure they don't enter options in the incorrect order from what sudo is expecting to avoid them getting unnecessary unauthorized action errors.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=649757
--
Jeff Traigle
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.