Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
4.  Administering Security (Tasks) WBEM Security Mechanisms Authorization  Previous   Contents   Next 
   
 

Auditing

The WBEM server writes audit records for certain events during processing. For example, the WBEM server writes audit records whenever the authentication of a client succeeds or fails, and whenever an operation that modifies user information is executed.

The WBEM server uses the underlying Solaris Basic Security Module (BSM) to write its audit records. You must enable the BSM auditing mechanism (bsmconv) in the Solaris operating environment on the WBEM server to ensure that audit information is recorded. This command is described in bsmconv(1M).

Note - If you are using Trusted Solaris™, you do not need to enable the BSM auditing mechanism.

Logging

The WBEM server writes log records to the WBEM log for particular security events, for example, when an authenticated session for a client is established or when authorization checking fails. You can review the WBEM log in the Solaris Management Console Log Viewer, which is described in Chapter 5, Viewing System Log Data (Tasks).

You can identify security-related log events by the category Security log, which is listed in the Category column. You can view only security log messages by selecting the category Security in the Log Viewer filter dialog box. Most security log messages include the user identity of the client and the name of the client host.

Using Sun WBEM User Manager to Set Access Control

Sun WBEM User Manager (wbemadmin) enables you and other privileged users to:

  • Add and delete authorized users

  • Set access privileges for authorized users

  • Manage user authentication and access to CIM objects on a WBEM-enabled system

Note - The user for whom you specify access control must have a Solaris user account.

What You Can and Cannot Do With Sun WBEM User Manager

You can set access privileges for individual namespaces or for a combination of a user and a namespace. When you add a user and select a namespace, the user is granted read access to CIM objects in the selected namespace by default.

Note - An effective way to combine user and namespace access rights is to first restrict access to a namespace, and then grant individual users read, read and write, or write access to that namespace.

You cannot set access rights on individual managed objects. However you can set access rights for all managed objects in a namespace as well as on a per-user basis.

If you log in as root, you can set the following types of access to CIM objects:

  • Read Only - Allows read-only access to CIM Schema objects. Users with this privilege can retrieve instances and classes, but cannot create, delete, or modify CIM objects.

  • Read/Write - Allows full read, write, and delete access to all CIM classes, instances, and invoked methods.

  • Write - Allows write and delete access, but not read access, to all CIM classes and instances.

  • None - Allows no access to CIM classes and instances.

Using Sun WBEM User Manager (Task Map)

The following table identifies the procedures that you need to follow to start and use Sun WBEM User Manager.

Task

Description

For Instructions

Start the Sun WBEM User Manager.

Start the Sun WBEM User Manager by using the wbemadmin command.

"How to Start Sun WBEM User Manager"

Grant default access rights to a user.

Grant default access rights to a user by using the Users Access tool of the Sun WBEM User Manager.

"How to Grant Default Access Rights to a User"

Change access rights for a user.

Change access rights for a user by using the Read and Write check boxes in the Sun WBEM User Manager.

"How to Change Access Rights for a User"

Remove access rights for a user.

Remove access rights for a user by using the Users Access tool of the Sun WBEM User Manager.

"How to Remove Access Rights for a User"

Set access rights for a namespace.

Set access rights for a namespace by using the Namespace Access tool of the Sun WBEM User Manager.

"How to Set Access Rights for a Namespace"

Remove access rights for a namespace.

Remove access rights for a namespace by using the Namespace Access tool of the Sun WBEM User Manager.

"How to Remove Access Rights for a Namespace"

Using Sun WBEM User Manager

This section describes how to start and use Sun WBEM User Manager.

How to Start Sun WBEM User Manager

  1. Become superuser.

  2. In a command window, type:

    # /usr/sadm/bin/wbemadmin

    Sun WBEM User Manager starts, and a Login dialog box opens.

    Note - Context-help information is available in the Context Help panel when you click on the fields in the Login dialog box.

  3. Fill in the fields on the Login dialog box.

    1. In the User Name field, type the user name.

      Note - You must have read access to the root\security namespace to log in. By default, Solaris users have guest privileges, which grant them read access to the default namespaces. Users with read access can view, but not change, user privileges.

      You must log in as root or a user with write access to the root\security namespace to grant access rights to users.

    2. In the Password field, type the password for the user account.

  4. Click OK.

    The User Manager dialog box opens. The dialog box contains a list of users and their access rights to WBEM objects within the namespaces on the current host.

How to Grant Default Access Rights to a User

  1. Start Sun WBEM User Manager.

  2. In the Users Access portion of the dialog box, click Add.

    A dialog box opens that lists the available namespaces.

  3. Type the name of a Solaris user account in the User Name field.

  4. Select a namespace from the listed namespaces.

  5. Click OK.

    The user name is added to the User Manager dialog box.

  6. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

    The user that you specified is granted read access to CIM objects in the namespace that you selected.

How to Change Access Rights for a User

  1. Start Sun WBEM User Manager.

  2. Select the user whose access rights you want to change.

  3. To grant the user read-only access, click the Read check box. To grant the user write access, click the Write check box.

  4. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

How to Remove Access Rights for a User

  1. Start Sun WBEM User Manager.

  2. In the Users Access portion of the dialog box, select the user name for which you want to remove access rights.

  3. Click Delete to delete the user's access rights to the namespace.

    A confirmation dialog box opens. This dialog box prompts you to confirm your decision to delete the user's access rights.

  4. To confirm, click OK.

  5. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

 		 
 
  Previous   Contents   Next