Filter
Top Products
Administering the Kerberos Server
The admin_acl_file File
Chapter 8 115
Permissions designated with a lowercase letter apply only to those
realms to which the administrative principal belongs. Permissions
designated with an uppercase letter apply to all realms. [permissions]
is an optional string containing one or more options listed in Table 8-2.
The restricted administrator setting is a modifier that you must use in
conjunction with permissions. You must consider the following guidelines
before using the r, R and Rr modifiers:
• The order of the permission letters is irrelevant.
• The e, E, g and G switches are not affected by the r and R
permissions.
• The * (asterisk) symbol overrides the r and R switches
For more information, see “Using Restricted Administrator” on page 117.
The principal can also include the asterisk (*) wildcard because
admin_acl_file supports the following identifier/instance
wildcards:
• */instance
• identifier/*
This format makes it easier to add groups of principal names to the file.
Therefore, if you want any principal with the instance admin to have
permissions to administer the database, you can use the principal
*/admin@REALM, where REALM is your realm of the primary security
server.
For example, to grant all principals with the admin instance that need to
have all the permissions assigned to them, add the following entry to
admin_acl_file:
*/admin@FINANCE.BAMBI.COM *
where:
* Denotes all prinicpals
admin Specifies instance
FINANCE.BAMBI.COM Denotes the realm name
* Denotes permissions