Re: [SunRay-Users] Restricted web gui?

Thu, 15 Feb 2007 09:32:45 -0800

I bet a clever person could use RBAC to create roles for their users to do certain Sun Ray roles like add users, yet not restart the services. Of course it would have to be done via the command line. 

Garry Robbins wrote:

This isn't a direct solution for your problem, but in a previous life I 
needed to delegate some sysadmin tasks to Help Desk agents, without 
giving them the whole enchilada.



Basically, I setup a special administration account that could receive 
email, filter the email messages using procmail 
<http://www.procmail.org/> into a script that parsed the email message 
with Perl, then used "commands" inside of the message text body to 
maintain sendmail aliases.



It can get as fancy as you want, but I allowed them to add, query, 
delete entries once I validated their credentials. It also gave me an 
audit trail of user modifications, something which I don't think the 
existing tools provide.


Maybe you could adopt this concept for your distributed admin needs?


Brad Lackey wrote:

yes, but this only add more users which can use the whole GUI... I 
think that he wants to restrict what the admin user can do from the 
GUI. i.e. add registrations, but not restart services.


Craig Bender wrote:

Yes there is, in fact it already exists.

# /opt/SUNWut/sbin/utadminuser -h

        utadminuser
        utadminuser -h
        utadminuser -a <username> [ <username> ... ]
        utadminuser -d <username> [ <username> ... ]
        utadminuser -r

        Options:

                # with no options, utadminuser prints the list of all 
users
                # authorized to administer the Sunray through the 
Admin GUI.

        -a      # adds specified users to the list
        -d      # deletes specified users from the list
        -r      # removes all authorized users
        -h      # prints this usage

Brad Lackey wrote:



Cuny, David wrote:

Thanks. The "batch add from file" option looks like an alternative 
for now.
 
So does that mean that adding additional (i.e. non-admin) users to 
the Admin GUI is not being planned, or at least will not be ready 
soon?



There will be nothing in the near future that includes 
"Administrative Roles".



 
David



------------------------------------------------------------------------ 

*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Brad Lackey

*Sent:* Thursday, February 15, 2007 8:11 AM
*To:* SunRay-Users mailing list
*Subject:* Re: [SunRay-Users] Restricted web gui?

I'm glad the script is working for you...

There is the ability to add/edit SRDB card registrations using the CLI

/opt/SUNWut/sbin/utuser

Check out the man page "man -M /opt/SUNWut/man utuser"

Brad

Cuny, David wrote:



In the very near future, my dept will be deploying several dozen 
Sun Rays as Windows desktop replacements (uttsc CAM scripts that 
point to various RDP sessions depending on card id). To ease the 
workload of adding new users, our helpdesk staff has offered to 
assist in the deployment and management of new user sessions. This 
is easy with the admin gui web page, but does give the helpdesk 
the capacity to do cold restarts to the service and mess with the 
security settings, something that doesn't make this sysadmin very 
happy. At the same time, I would also not be happy if I was on 
vacation (I'm the sole Unix admin) and I had to remote in to add 
new sunray users.



So, is there a way to add another user to the admin gui with 
restricted privileges? If not, is there another way to go about 
this (i.e. server-side script or something else)?



FYI, I'm using a modified CAM script from Brad Lackey (btw, 
thanks! It works great!) that reads the 'Other Info' field on the 
user's smart card to populate the RDP session info. If no smart 
card is detected, the script launches Firefox in an extremely 
restricted kiosk mode (I'm using the r-kiosk extension).


David Cuny
Unix/Linux System Admin
State Street Kansas City
[EMAIL PROTECTED]




 
------------------------------------------------------------------------ 



_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

  


--
    *Brad Lackey*
Desktop Product Lead
US Software Practice
(720) 548-3339
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>



------------------------------------------------------------------------ 



_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users


--
        *Brad Lackey*
Desktop Product Lead
US Software Practice
(720) 548-3339
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

------------------------------------------------------------------------

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

  


_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users






















					Reply via email to