Chapter Two

Account and Security

Administration, and Access Control
(DAC, RBAC) (3 hrs)
 User and Group Concepts, and User Private Group Scheme
One of the basic system administration tasks is to set up a user account for each user at
a site.
A typical user account includes the information a user needs to log in and use a system
(without having the system's root password).
• Every user of the system is assigned a unique User ID number (the uid).
• Users cannot read, write or execute each others' files without permission.
User account information consists of four main components:
Component  Description 

User name  A name that a user uses to log in to a

system (also known as a login name).
Password  A secret combination of characters that a
user must enter with a user name to gain
access to a system.
User's home directory  A directory that is usually the user's
current directory at login. It typically
contains most of the user's files.
User initialization files  Shell scripts that control how the user's
working environment is set up when a
user logs in to a system.
 Cont…

 Also, when you set up a user account, you can add the user to predefined
groups of users.
 A typical use of groups is to set up file and directory access only to users
who are part of a group (using the group permissions on a file or directory).
 For example, you might have a directory containing top secret files that
only a few users should be able to access.
 You could set up a group called topsecret that include the users working on
the top secret project, and you could set up the top secret files with read
permission for the topsecret group.
 That way, only the users in the topsecret group would be able to read the
files.
 There is also a special type of user account called a role, which is used to
give selected users special privileges.
 Guidelines for Managing User Accounts
 The following sections describe some guidelines and planning information for
creating user accounts.
 Name Services
 If you are managing user accounts for a large site, you might want to consider
using a name service such as NIS or NIS+.
 A name service enables you to store user account information in a centralized
manner instead of storing user account information in every system's /etc files.
 When using a name service for user accounts, users can move from system to
system using the same user account without having site-wide user account
information duplicated in every system's /etc files.
 Using a name service also promotes centralized and consistent user account
information.
 User (Login) Names
 User names, also called login names, let users access their own systems and
remote systems that have the appropriate access privileges.
 You must choose a user name for each user account you create. User names
must:
 Be unique within your organization, which might span multiple domains
 Cont…
 All window server operating systems have user and group accounts.

 User account is an object or identity created in a computer or system.

 User account allows to sign in to computer and access applications, services
and resources of a system.
 It consists of user name password and any other related information of users.

Types of user accounts

1. Local user account: It is an account which is created for stand alone server
which is used for local security database.

2. Domain user account: it is created for active directory database.

3. Built in user account: it is an account in which window server
automatically creates accounts during operating system installation
 Example for Built-in user account are, administrator and guest.
 Cont..

 Administrator account manage the over all computer and domain

configuration tasks, such as creating and modifying user accounts and
groups, managing security policies, assigning permissions and rights to
user accounts to gain access to user.
 The purpose of the built-in Guest account is to provide user who don’t
have an account in the domain with the ability to log on and gain access to
resource.

Group account
 An account containing other accounts, also called members, is a group.
 Groups give Windows administrators the ability to grant rights and
permissions to the users within the group at the same time, without having
to maintain each user individually.
 Cont..

Types of groups
 Security groups: it is used to assign permission and right to gain access to
resource and also be distribution groups.
 Distribution groups: used to combine users for e-mail distribution lists.

 It is no-secure group generally used for exchanging or MX users such as

sending e-mail messages to users at the same time.

Group scopes
It defines how and for which resource permission are assign to the group
members. The following are group scopes.

Domain local: used for open membership and access to resource in one domain.

Global: it is used for limited membership and access to resource in any domain.

Universal: it is used for open membership and access to resource in any domain
 Basic requirements in password creation
 The password created in server operating system contains from the three
of the following characters.
 Upper case letters (A-Z)

 Lower case letters (a-z)

 Numbers (0-9)

 Special characters(@,#, $, !)
 The minimum password length is 7.
 User Private Groups
 A UPG is created whenever a new user is added to the system. A UPG has the
same name as the user for which it was created and that user is the only member
of the UPG.
 UPGs makes it safe to set default permissions for a newly created file or
directory which allow both the user and that user's group to make modifications
to the file or directory.
 The setting which determines what permissions are applied to a newly created
file or directory is called a umask and is configured in the /etc/bashrc file.
 Traditionally, on UNIX systems the umask is set to 022, which allows only the
user who created the file or directory to make modifications. Under this scheme,
all other users, including members of the creator's group are not allowed to make
any modifications.
 However, under the UPG scheme, this "group protection" is not necessary since
every user has their own private group.
 Managing User Accounts and User Groups
 If you're a system admin, user admin, or group admin, you can use the
admin console to add, remove, and edit accounts for users and groups. Note
that this guide does not describe how to set permissions for users and
groups. You can set permissions if you're a system or space admin, but not a
user or group admin.
 For more on setting permissions, see Managing Administrative Permissions.
 About User Accounts and User Groups: User accounts represent people
who have access to the application.
 User groups collect user accounts in order to make it easier to manage
access to the application's features.
 User Accounts and User Groups A user account represents a person using
the application. Each user account has associated content, including the
person's profile.
 Cont..
 For all users, you can use the console to change their user name and password,
view and delete the content they've created, and view and edit their profile
information.
 You can also disable a user, such as when they're no longer involved, but you
want to hang on to their content.
 A user group collects user accounts, typically in order to make it easier to grant
all of the collected users certain permissions.
 For example, you might create a group of human resources workers so that you
can give them (and only them) permission to view potentially sensitive
information about employees in a "Benefits" space.
 A user group is made up of members, who typically aren't aware they're in the
group, and admins, who have admin console access through which they can
manage user group settings and membership.
 External User Identity Systems
 The work you do with user accounts and user groups will depend heavily on
whether the application is connected to an external user identity
management system.
 Generally speaking, when you add user accounts and user groups using the
admin console, you're adding that data to the same database used to store
content.
 This isn't typically the case if the application is connected to an external
user identity system such as LDAP or Active Directory.
 In that case, much of the information about users will be coming from --
and managed within -- the external system. By default, even if your
community uses an LDAP or Active Directory database (or some custom
solution), the users you add through the admin console will be added to the
application's database and not the external system.
 Cont…

 It is also possible that user accounts will be managed by the

external system, but the groups they're members of will be created
and managed locally in the application database.
 How user group are managed is defined when the external system is
connected to the application.
 User Registration: You can configure the application so that users
can register on their own.
 When you enable user-created accounts, people can register by
entering basic required registration information (such as a username
and password), along with user profile information.
 They can also invite other people to join the community.
 Managing User Groups
 A user group collects user accounts to make managing permissions easier.

 For example, you might create a user group called "hr_users" and add user accounts
for people in the human resources department.
 The existence of user groups isn't visible in the application's user interface.

 User groups are made up of members and admins.

 Unless they have access to the admin console, members typically aren't aware that
they're in a user group.
 The account simply defines (at least partly) their access to the application's features.

 Group admins have access to the area of the admin console through which they can
manage settings and membership for a group they're administering.
 By default, they get to this feature by directing their browser to a URL as described in
Starting the Admin Console.
 Unless they have other types of admin access, they'll only be able to access account
management pages for the account they're administering.
 Managing Password Aging
 Password aging is a mechanism you can use to force users to periodically
change their passwords.
Password aging allows you to:
 Force a user to choose a new password the next time the user logs in. Specify
a maximum number of days that a password can be used before it has to be
changed.
 Specify a minimum number of days that a password has to be in existence
before it can be changed.
 Specify that a warning message be displayed whenever a user logs in a
specified number of days before the user's password time limit is reached.
 Specify a maximum number of days that an account can be inactive.
 If that number of days pass without the user logging in to the account, the
user's password will be locked.
 Specify an absolute date after which a user's password cannot be used, thus
denying the user the ability to log on to the system.
 Keep in mind that users who are already logged in when the various
maximums or dates are reached are not affected by the above features.
 They can continue to work as normal.
 Cont…

 Password aging limitations and activities are only activated when a user
logs in or performs one of the following operations:
 login
 rlogin

 telnet
 ftp
 These password aging parameters are applied on user-by-user basis.

 You can have different password aging requirements for different users.
Forcing Users to Change Passwords
• There are two ways to force a user to change passwords the next time the
user logs in:
1. Force change keeping password aging rules in effect
2. Force change and turn off password aging rules
 Cont…
 Allows you to specify a time period during which a password is valid
 Has a benefit of ensuring
 Passwords are changed regularly
 A password that is stolen, cracked, or known by a former employee
will have a time limited value
 A password age between 30 and 60 days is recommended
 Managing files and folder permission
 In many cases, you will need to change the permissions that a certain group or
individual user has to a file or folder.
 For example, you can designate a special folder on the W: drive within your
department's area called "Incoming" as a place where students can turn in their work.
 To do this, you would first need to create a new folder on the W: drive.

 By default, the new folder will have the same permissions as the parent folder, which
would not allow students to submit their work, and may not allow students to even
access the folder.
 You would then need to allow students access to the new folder, and set permissions
for the folder.
 When you set permissions, you are specifying what level of access students have to
the folder and its files and what students can do within that folder such as save, delete,
or read files.
 Cont…

 There are six standard permission types which apply to files and folders in

Windows:
Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

 Each level represents a different set of actions users can perform.

 For folders you can also set your own unique permissions or create a variation

on any of the standard permission levels.

 Within each of the permission levels are many possible variations.

 Cont…
• For information on some of these advanced options, refer to Advanced
Folder Level Permissions below.
Permission Description
Full Control •Permits the user(s) to:view file name and subfolders.
•navigate to subfolders.
•view data in the folder's files.
•add files and subfolders to the folder.
•change the folder's files.
•delete the folder and its files.
•change permissions.
•take ownership of the folder and its files.

Modify •Permits the user(s) to:view the file names and

subfolders.
•navigate to subfolders.
•view data in the folder's files.
•add files and subfolders to the folder.
•change the folder's files.
•delete the folder and its files.
•open and change files.
Read & Execute •Permits the user(s) to:view file names and subfolder
names.
•navigate to subfolders.
•view data in the folder's files.
•run applications.
List Folder •Permits the user(s) to:view the file names and subfolder
Contents names.
•navigate to subfolders.
•view folders.
•does not permit access to the folder's files.

Read •Permits the user(s) to:view the file names and subfolder
names.
•navigate to subfolders.
•open files.
•copy and view data in the folder's files.
Write •The Read permissions, plus permits the user(s) to:create
folders.
•add new files.
•delete files.
 Access control system
• Access control is a security technique that regulates who or what can view or use
resources in a computing environment.

• It is a fundamental concept in security that minimizes risk to the business or

organization.

• There are two types of access control: physical and logical.

• Physical access control limits access to campuses, buildings, rooms and physical IT
assets.

• Logical access control limits connections to computer networks, system files and
data.

• To secure a facility, organizations use electronic access control systems that rely on
user credentials, access card readers, auditing and reports to track employee access to
restricted business locations and proprietary areas, such as data centers.
• Some of these systems incorporate access control panels to restrict entry to
rooms and buildings, as well as alarms and lockdown capabilities, to
prevent unauthorized access or operations.
• Logical access control systems perform identification authentication and 
authorization of users and entities by evaluating required login credentials
that can include passwords, personal identification numbers, biometric
 scans, security tokens or other authentication factors.
• Multifactor authentication (MFA), which requires two or more
authentication factors, is often an important part of a layered defense to
protect access control systems
 Access control system
• Ensures that user A cannot access user B’s private files
• Every file supports separate privileges for its owner, the members of the
group it is assigned to and all other users
Read, write, execute
• In the earliest and simple versions of UNIX, there was never a single-
point access control system
• The code that makes access control decisions is scattered about the
system
Example
Certain system calls are restricted to root (e.g., settimeofday)
Other system calls (e.g., kill) involves ownership matching and special
provision to root
Filesystem implements its own access control system
Rules that shape the system’s design
Objects (e.g., files and processes) have owners
Owners have broad (but not necessarily unrestricted) control over their objects
You own new objects that you create
The special user account called “root” can act as the owner of any object
Only root can perform certain sensitive administrative operations
 Managing Disk Quota
• Quota is the amount of space you have to store files, whether you create or access them from

Linux or Windows.

• The amount of storage space for files is based on the available disk space on the ECS file

servers and on the type of computer account you hold.

• Each computer account has both a hard and a soft quota.

• The soft quota is the point at which you are warned that you are approaching your hard quota.

• The hard quota is the absolute maximum amount of disk space the system grants your

account.

• Do not exceed your hard quota; bad things happen if you do: the system will not let you do

anything in your account that requires using additional disk space; you cannot create new

files; and any files that you try to edit may become corrupted.

• The hard quota takes effect as soon as you exceed it; there is no grace period.
 Managing Disk Quota
 Your soft quota is less than your hard quota.

 Since exceeding your hard quota can result in drastic.

  If you exceed your soft quota for more than seven days, it automatically becomes
your hard quota.
 Alternatively referred to as a quota, disk quota management are permissions given
by administrators that set limits on the user, workgroups, or other groups of storage
space.
 By setting a quota, this helps prevents a server or share from becoming full of data,
but still allows users to save files.
 Most users who send and receive e-mail or run a website may be familiar with
quotas because of over quota messages, which is an indication they exceed their
available space.
 Also, if an e-mail file attachment is too big to fit into the available quota you'll
receive a similar error.
 A l l
a n k
T h
