Creating a Restricted SAM

Prepared by Peggy Bruehl 4/30/97
In HP-UX 10.2, you can create a mini version of SAM that non-root users can run. This mini version of SAM is called a restricted SAM. It can be configured to allow certain users on your system the privilege to run some of the SAM commands. Ordinarily only user root can run SAM. With restricted SAM, any user can be set up to run certain parts of SAM.

For example, you might choose to configure a restricted SAM so that some users on your system can make their own backup tapes. Or, you may choose to allow some users the right reboot the system. However you configure the restricted SAM, please be aware that once a user has been given the privilege to run a SAM function, that function will execute with root permission. So, please be cautious when configuring the privileges.

Privileges may be handed out on a per user or group basis. You can choose to give all users a set of basic privileges. For some users, such as ldm or gempak, you can configure extra privileges. You can make this system as complicated or as simple as you need it to be. Once a user has been given restricted SAM privileges, all he or she has to do is simple run SAM with the command /usr/sbin/sam and the restricted SAM interface configured for that user will appear on the screen. If you add the path /usr/sbin to the user's PATH statement, the user will only have to type sam.

Let's configure a restricted SAM for a user on your system:

  1. To start the configuration, as root, run the command /usr/sbin/sam -r. This command will start the Restricted SAM Builder which consists of two windows, the Restricted SAM Builder and the Load Privileges windows.

  2. Now select those users to whom you'd like to give certain SAM privileges. For example, user gempak. Highlight the user name or names. Also, highlight the default template in the lower window. This will read in the default template that defines which SAM privileges your user or users can have. Then press OK.

  3. Now control will transfer to the Restricted SAM Builder window. This window shows the defaults for defining the restricted SAM privileges. You'll notice that the SAM icons have different colors. Red means that by default no permissions in this category are granted to the users. Yellow means that some permissions in this category are granted. Green means that all permissions are granted. You are free to change any of these permissions to fit your specifications.

    For example, Look at the Backup and Recovery icon. It is green which means that the default template gives all the backup & recovery privileges to the user. Double click on this icon. The next screen tells you that the user has privileges to do both interactive backup & recovery and automated backups. You may not want to allow your users to change the automated backup schedule, but you do want to allow them to backup and recover their own files. So, to turn OFF the automated backup privileges, single click on the icon to highlight it and use the Actions pull down menu to disable this function.

  4. You should go through each green and yellow icon in the Restricted SAM Builder window to make sure that you really want to give your users the privileges in the default template. For example, it may be a good idea to allow your users to shutdown the system (under Routine Tasks) but you may not want to allow them to remove files or unused software. You may also go through the red windows and enable privileges that you feel are necessary. Remember, however, that the restricted SAM window will run with root privileges, so please be careful how much you allow your users to do.

  5. Once you have customized the privileges for this user or users, you must save them. Go back to the top level and use the Actions pull down menu to Save Privileges.... This will pop up the list of users again. The user or users you highlighted at the first window should still be highlighted. This is your chance to add or remove users that will be granted these privileges. When you've verified that all the intended users have been highlighted, press the OK button. SAM will report that the privileges have been saved.

  6. Now you can continue and configure privileges for other users, or you can exit the Restricted SAM Builder. You can always go back and change the configurations you just made. Simply restart the Restricted SAM Builder (/usr/sbin/sam -r), select the user or users you'd like to change the configuration for, and press OK. This will bring you back to the Restricted SAM Builder window again.