Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

Administration

admin_acl_ﬁle

Chapter 6 99

Creating Administrative Accounts

You can set administrative permissions in the admin_acl_file using

one of the following methods:

• Using the Administrator to set administrative permissions. The

admin_acl_file is automatically edited, when you change the

administrative permissions of the principal.

• Edit the admin_acl_file directly. To edit this ﬁle you must have the

required system ﬁle administration rights.

Using Restricted Adminsitrator

The r, R, and Rr modiﬁers are used in combination with the a, A, c, C, d,

D, i, I, m, M,orx, X permissions to permit administrative principals to use

those options only against certain principals.

How the r/R Modiﬁers Work

There are several important considerations about using the r, R, and Rr

modiﬁers:

• The r modiﬁer restricts only lower-case permissions. For instance,

administrative principals assigned the ird permissions cannot

delete principals from their own realm that are included in the

admin_acl_file.

Note that the r modiﬁer doesnot restrict upper-case permissions. For

instance, administrative principals assigned the IMimr permissions

cannot modify principals in their own realm that are included in the

admin_acl_file, but are able to modify any principal in all other

realms supported by the primary security server.

• The R modiﬁer restricts only upper-case letter permissions and only

applies to realms other than the administrative principal’s realm.

For instance, administrative principals assigned the IRD permissions

cannot delete principals included in the admin_acl_file from any

other realm except their own.

Note that IRDid is equivalent to the IRD permissions because the

upper-case permissions (not including the r and R modiﬁers) apply to

all realms.