Protection Permissions
Protection permissions allow you to group users into administrative domains so that administrators can only perform actions within their domain. An administrator can only perform administrative operations on a user that has the same protection permission as the user.
There are four protection permissions (protect1
,
protect2
,
protect3
, and
protect4
) that allow you to create four groups of administrators. Protection permissions do not apply to the
admin
user or users in the
$admin
group — these users can perform any action on any user regardless of protection permissions.
To use protection permissions, grant one of the protection permissions to a set of users (either individually, or to a defined group(s)). Then, grant the same protection permission to the administrator that can perform actions on those users.
For example, there are four departments in a company: sales, finance, manufacturing, and system administrators. Each of these departments has a defined group and a set of users assigned to the group. Within the system administrators, there is one manager and three other administrators, each responsible for administering the resources of the other departments. The manager of the system administrators can perform any administrator action. Each of the other system administrators can only perform actions on members of the groups for which they are responsible.
The user name of the manager is
mgr
, the user names of the other system administrators are
admin1
,
admin2
, and
admin3
. The following commands illustrate the grants necessary for creating the example administration structure.
add member $admin mgr grant admin sales protect1 grant admin admin1 protect1,all grant admin manufacturing protect2 grant admin admin2 protect2,all grant admin finance protect3 grant admin admin3 protect3,all
all
permission. This signifies that the user has all administrator privileges for anyone who also has the same protection permission. However, if you revoke the
all
permission from a user, all permissions, including any protection permissions are removed from the access control list for the user.
An administrator is able to view users that have a different protection permission set, but the administrator can only perform actions on users with the same protection permission.
For example,
admin1
can perform any action on any user in the
sales
group, and can view any users in the
manufacturing
or
finance
groups. However,
admin1
is not able to grant permissions, change passwords, delete users from, or perform any other administrative action on users of the
manufacturing
or
finance
groups. The
mgr
user is able to perform any action on any user, regardless of their protection permission because
mgr
is a member of the
$admin
group.