That's clever. I was actually leaning towards using Solaris 10's RBAC to give them access to utuser commands, but I'll have to look into this idea a bit further. The upside to your idea is that there is no login for the Help Desk, as all commands are submitted via email. I had a similar idea once, but it used a cron script to parse through an nfs-mounted file share hourly for a specific file. This looks a bit cleaner. ________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garry Robbins Sent: Thursday, February 15, 2007 10:56 AM To: SunRay-Users mailing list Subject: Re: [SunRay-Users] Restricted web gui? This isn't a direct solution for your problem, but in a previous life I needed to delegate some sysadmin tasks to Help Desk agents, without giving them the whole enchilada. Basically, I setup a special administration account that could receive email, filter the email messages using procmail <http://www.procmail.org/> into a script that parsed the email message with Perl, then used "commands" inside of the message text body to maintain sendmail aliases. It can get as fancy as you want, but I allowed them to add, query, delete entries once I validated their credentials. It also gave me an audit trail of user modifications, something which I don't think the existing tools provide. Maybe you could adopt this concept for your distributed admin needs? Brad Lackey wrote: yes, but this only add more users which can use the whole GUI... I think that he wants to restrict what the admin user can do from the GUI. i.e. add registrations, but not restart services. Craig Bender wrote: Yes there is, in fact it already exists. # /opt/SUNWut/sbin/utadminuser -h utadminuser utadminuser -h utadminuser -a <username> [ <username> ... ] utadminuser -d <username> [ <username> ... ] utadminuser -r Options: # with no options, utadminuser prints the list of all users # authorized to administer the Sunray through the Admin GUI. -a # adds specified users to the list -d # deletes specified users from the list -r # removes all authorized users -h # prints this usage Brad Lackey wrote: Cuny, David wrote: Thanks. The "batch add from file" option looks like an alternative for now. So does that mean that adding additional (i.e. non-admin) users to the Admin GUI is not being planned, or at least will not be ready soon? There will be nothing in the near future that includes "Administrative Roles". David ------------------------------------------------------------------------ *From:* [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] *On Behalf Of *Brad Lackey *Sent:* Thursday, February 15, 2007 8:11 AM *To:* SunRay-Users mailing list *Subject:* Re: [SunRay-Users] Restricted web gui? I'm glad the script is working for you... There is the ability to add/edit SRDB card registrations using the CLI /opt/SUNWut/sbin/utuser Check out the man page "man -M /opt/SUNWut/man utuser" Brad Cuny, David wrote: In the very near future, my dept will be deploying several dozen Sun Rays as Windows desktop replacements (uttsc CAM scripts that point to various RDP sessions depending on card id). To ease the workload of adding new users, our helpdesk staff has offered to assist in the deployment and management of new user sessions. This is easy with the admin gui web page, but does give the helpdesk the capacity to do cold restarts to the service and mess with the security settings, something that doesn't make this sysadmin very happy. At the same time, I would also not be happy if I was on vacation (I'm the sole Unix admin) and I had to remote in to add new sunray users. So, is there a way to add another user to the admin gui with restricted privileges? If not, is there another way to go about this (i.e. server-side script or something else)? FYI, I'm using a modified CAM script from Brad Lackey (btw, thanks! It works great!) that reads the 'Other Info' field on the user's smart card to populate the RDP session info. If no smart card is detected, the script launches Firefox in an extremely restricted kiosk mode (I'm using the r-kiosk extension). David Cuny Unix/Linux System Admin State Street Kansas City [EMAIL PROTECTED] ------------------------------------------------------------------------ _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users -- *Brad Lackey* Desktop Product Lead US Software Practice (720) 548-3339 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> ------------------------------------------------------------------------ _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users -- Brad Lackey Desktop Product Lead US Software Practice (720) 548-3339 [EMAIL PROTECTED] ________________________________ _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
ATT6149311.gif
Description: ATT6149311.gif
_______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
