Server Farm Account Management (SFAM) is the method for centrally managing Linux users and access rights across the CIT Managed Server environment. The simplified account structure employs user Roles and server Classes to streamline authorization.

Roles and Classes

Roles are used to assign access rights and sudo privileges to users with similar job functions. Instead of giving a user access to hosts A, B, and C, we determine what job function that user is performing and craft a role (or multiple roles) to encapsulate that function, for example a Database Administrator or Web Site Administrator.  We realize the benefit of organizing access rights and permissions into roles when a team brings other users into the same job function. 

Note: Users can be added to systems without putting them into Roles. Use Roles, where possible, to simplify management of multiple systems.

To see which roles your system is in, please see the Centralized Unix Configuration Information System.

Classes are groupings of servers. Classes are assigned to servers based on the services they offer and which sets of users require access.  A server may be mapped to multiple classes.

Uses for classes:

• Mapping Roles to Classes: Allows you to take a group of servers, and assign roles (groups of people) to them. Example: “Assign everyone in the DBA role to all servers in the DatabaseServers class.”
• Assigning configuration changes to classes: If a particular configuration file is managed by the CFEngine management system, system configurations can be applied to a class of servers. Example: “Open port 80 and 443 to the world on all servers in the MyWebServer Class.”
• Note: Not all system configuration files are managed by CFEngine. Look at the Centralized Unix Configuration Information System to see which files are presently under CFEngine control. If there are additional files you would prefer to have centrally managed, send an request to systems-support@cornell.edu.

Note: Even if a system is in a class, you can still assign userids or local configuration changes to individual servers. Use classes where possible.

To see which classes your system is in, look at our Centralized Unix Configuration Information System.

Accounts

The following account types are available in Server Farm Account Management (SFAM).

User Accounts

• Interactive accounts with login, shell, and possibly sudo access.
• No shared access; each account is either a NetID or a vendor account tied back to a particular person.

File Transfer ID Accounts

For transferring files between machines. Not used to execute commands.

• Access allowed via FTP, SCP/SFTP
• No interactive (shell) access. No sudo. Process should not run under these IDs.
• Password or SSH keys likely to be shared knowledge or hard-coded into applications.

Holding ID Accounts

Used to run processes and commands on a local machine. No remote access.

• No direct login allowed. These accounts have no usable passwords and do not support login via SSH keys.
• Users can “sudo su” to Holding ID accounts if temporary interactive access is needed.
• Password-less sudo may be granted to these users for limited commands.
• Daemons and processes are typically run under these accounts (Apache, MySQL, NGINX, etc.).

Marshaling ID Accounts

For administrative purposes to manage a small group of machines.

• Restricted to a defined set of source/destination targets within Managed Server.
• No direct login allowed.
• No usable passwords. Access to target systems is SSH-key based, controlled by CFEngine.
• Sudo rights are on a per command basis.
• Should not be used perform the functions of a File Transfer ID or a Holding ID.

To request accounts:

• Linux Account Request Form