HP Serviceguard A.11.20- Managing Serviceguard Twentieth Edition, August 2011

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software

191

192

193

194

195

196

197

198

199

200

Levels of Access

Serviceguard recognizes two levels of access, root and non-root:

• Root access: Full capabilities; only role allowed to configure the cluster.

As Figure 36 shows, users with root access have complete control over the configuration of

the cluster and its packages. This is the only role allowed to use the cmcheckconf,

cmapplyconf, cmdeleteconf, and cmmodnet -a commands.

In order to exercise this Serviceguard role, you must log in as the HP-UX root user (superuser)

on a node in the cluster you want to administer. Conversely, the HP-UX root user on any node

in the cluster always has full Serviceguard root access privileges for that cluster; no additional

Serviceguard configuration is needed to grant these privileges.

IMPORTANT: Users on systems outside the cluster can gain Serviceguard root access

privileges to configure the cluster only via a secure connection (rsh or ssh).

• Non-root access: Other users can be assigned one of four roles:

Full Admin: Allowed to perform cluster administration, package administration, and cluster

and package view operations.

These users can administer the cluster, but cannot configure or create a cluster. Full Admin

includes the privileges of the Package Admin role.

◦

◦ (all-packages) Package Admin: Allowed to perform package administration, and use

cluster and package view commands.

These users can run and halt any package in the cluster, and change its switching

behavior, but cannot configure or create packages. Unlike single-package Package

Admin, this role is defined in the cluster configuration file. Package Admin includes the

cluster-wide privileges of the Monitor role.

◦ (single-package) Package Admin: Allowed to perform package administration for a

specified package, and use cluster and package view commands.

These users can run and halt a specified package, and change its switching behavior,

but cannot configure or create packages. This is the only access role defined in the

package configuration file; the others are defined in the cluster configuration file.

Single-package Package Admin also includes the cluster-wide privileges of the Monitor

role.

◦ Monitor: Allowed to perform cluster and package view operations.

These users have read-only access to the cluster and its packages.

IMPORTANT: A remote user (one who is not logged in to a node in the cluster, and is not

connecting via rsh or ssh) can have only Monitor access to the cluster.

(Full Admin and Package Admin can be configured for such a user, but this usage is deprecated

and in a future release may cause cmapplyconf and cmcheckconf to fail. As of

Serviceguard A.11.18 configuring Full Admin or Package Admin for remote users gives them

Monitor capabilities. See “Setting up Access-Control Policies” (page 194) for more information.)

Setting up Access-Control Policies

The HP-UX root user on each cluster node is automatically granted the Serviceguard root access

role on all nodes. (See “Configuring Root-Level Access” (page 166) for more information.)

Access-control policies define non-root roles for other cluster users.

194 Building an HA Cluster Configuration