Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Connecting Unix-Based Target Systems

Managing Unix-based systems Synchronizing Unix-based target systems Managing Unix user accounts and employees Managing memberships in Unix groups Login information for Unix user accounts Mapping of Unix objects in One Identity Manager Handling of Unix objects in the Web Portal Basic data for Unix-based target systems Configuration parameters for managing Unix-based target systems Default project template for Unix-based target systems Unix connector settings

Security-relevant user account main data

On Security, enter the following additional information about a user account in the AIX system. This data is mapped in /etc/security/user.

Table 25: Additional security relevant data for user accounts in an AIX system

Property

Description

account_locked

Specifies whether the user account is locked. (Parameter account_locked).

admin

Specifies the administrative status of the user. (Parameter admin).

admgroups

Lists the groups the user administrates. (Parameter admgroups).

auditclasses

The user account's audit classes. (Parameter auditclasses).

auth1

Additional mandatory methods for authenticating the user. (Parameter auth1).

auth2

Additional optional methods for authenticating the user. (Parameter auth2).

core_compress

Enables or disables core file compression. (Parameter core_compress).

core_path

Enables or disables core file path specification. (Parameter core_path). If this attribute has a value of On, core files will be placed in the given directory. otherwise, core files are placed in the user's current working directory.

core_naming

Naming conventions for the core file. If this option is set, the core file is stamped with a process ID, time, and date. (Parameter core_naming).

daemon

Specifies whether the user can run programs using the cron daemon or the src (system resource controller) daemon. (Parameter daemon).

dce_export

Specifies whether the DCE registry can overwrite the local user information with the DCE user information during a DCE export operation. (Parameter dce_export).

expires

Expiration date of the user account. (Parameter expires).

login

Specifies whether the user can log in to the system with the login command. (Parameter login).

logintimes

Times, days, or both, the user is allowed to access the system. (Parameter logintimes).

loginretries

Number of unsuccessful login attempts allowed after the last successful login before the system locks the account. (Parameter loginretries). A value of 0 or a negative value, indicates no maximum age.

projects

List of projects that the user's processes can be assigned to. The value is a list of comma-delimited project names. (Parameter projects).

registry

Defines the authentication registry where the user is administered. (Parameter registry).

rlogin

Specifies whether access is permitted to the account from a remote location with the telnet or rlogin commands. (Parameter rlogin).

su

Specifies whether another user can switch to the specified user account with the su command. (Parameter su).

sugroups

Groups that can use the su command to switch to the specified user. (Parameter sugroups).

SYSTEM

System's authentication mechanism for the user. (Parameter SYSTEM).

tpath

The user's trusted path status. (Parameter tpath).

ttys

Lists the terminals that can access the user. (Parameter ttys).

umask

Determines file permissions. (Parameter umask). The default value is 022.

Related topics

Main data for user accounts on an encrypted file system

On the Encrypted File System tab, enter the following additional information for using encrypted file system (EFS) for a user account in an AIX system. This data is mapped in /etc/security/user.

Table 26: User account main data of encrypted file systems

Property

Description

efs_adminks_access

Defines the efs_admin keystore location (Parameter efs_adminks_access). Permitted values:

  • file

  • ldap

efs_allowksmodechangebyuser

Specifies whether the user can change the mode or not. (Parameter efs_allowksmodechangebyuser).

efs_file_algo

Algorithm used to generate the file protection key. (Parameter efs_file_algo). Permitted values:

  • AES_128_CBC

  • AES_192_CBC

  • AES_256_CBC

efs_initialks_mode

Initial mode of the user keystore. (Parameter efs_initialks_mode). Permitted values:

  • guard

  • admin

efs_keystore_access

User keystore location. (Parameter efs_keystore_access). Permitted values:

  • none

  • file

efs_keystore_algo

Algorithm used to generate the user private key when the keystore is created. (Parameter efs_keystore_algo). Permitted values:

  • RSA_1024

  • RSA_2048

  • RSA_4096

Assigning extended properties to Unix user accounts

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

For detailed information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for a user account

  1. In the Manager, select the Unix > User accounts category.

  2. Select the user account in the result list.

  3. Select Assign extended properties.

  4. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .

  5. Save the changes.

Disabling AIX system user accounts

NOTE: The behavior described in the following, only applies to user accounts in an AIX system.

The way you disable user accounts depends on how they are managed.

Scenario:

The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the UNXAccount.AIX_account_Locked column.

Scenario:

The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter

  • If the configuration parameter is set, the employee’s user accounts are disabled when the employee is permanently or temporarily disabled.

  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To disable the user account when the configuration parameter is disabled

  1. In the Manager, select the Unix > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. On the Security tab, set the account_locked option.

  5. Save the changes.
Scenario:

User accounts not linked to employees.

To disable a user account that is no longer linked to an employee

  1. In the Manager, select the Unix > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. On the Security tab, set the account_locked option.

  5. Save the changes.

For more detailed information about deactivating and deleting employees and user accounts, see the .One Identity Manager Target System Base Module Administration Guide

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating