Planning for Access Control
When planning for access control, it is important to keep the level of access control in your cell restrictive enough to ensure that security is maintained. A special set of individuals or a special group can be given permission to create accounts and groups in the root directory of the Security space. A group called acct-admin is created when you configure DCE. The acct-admin group is the only group that can create accounts and groups in the root directory of the Security space.
While maintaining an adequate level of security in your cell, you also need to consider the requirements of administrators who are maintaining DCE services when you set access control levels. For example, if one person is responsible for administration of DFS in your cell, that person may need to add servers to the Security and CDS namespaces. On the other hand, an administrator responsible for the Security Service manages the Security server but does not control the DFS filespace.
Following are some of the groups created when you configure DCE using the DCE configuration script:
· sec-admin
This group administers Security servers, registry replication, and other Security functions.
· cds-admin
This group administers CDS servers, CDS replication, and other CDS functions.
· dts-admin
This group administers DTS servers and related DTS functions.
· dfs-admin
This group administers DFS file servers and related DFS functions.
· audit-admin
This group administers the audit daemon and related Audit Service functions.
See The sec/group/subsys Directory for a list of DCE groups created by the DCE configuration script.
In addition to the administrative groups, individual users need permission to control some information kept in the registry database. For example, a user needs to be able to change her or his password, home directory, or login shell.