Skip to main content

Server Farm Account Management

Server Farm Account Management (SFAM) centrally manages Unix users and access rights across the CIT server farm.

This article applies to: Managed Servers


Server Farm Account Management (SFAM) is the method for centrally managing Unix users and access rights across the CIT server farm. The simplified account structure employs user Roles and server Classes to streamline authorization.

Roles and Classes

Roles are used to assign access rights and sudo privileges to users with similar job functions. Instead of giving a user access to hosts A, B, and C, we determine what function that user is performing and craft a role (or multiple roles) to encapsulate that function, for example PeopleSoft DBA or NetVigil Administrator. The benefit of assigning roles comes when other users need to be added to an existing job function. 

Note: Users can be added to systems without putting them into Roles. Use Roles, where possible, to simplify management of multiple systems.

To see which roles your system is in, look at Centralized Unix Configuration Information System.

Classes are groups of servers. Classes are assigned to servers based on what the servers do and what people need to do on the servers. A server may be in more than one class.

Uses for classes:

  • Mapping Roles to classes: Allows you to take a group of servers, and assign roles (groups of people) to them.
    Example: “Assign everyone in the DBA role to all servers in the DatabaseServers class.”
  • Assigning configuration changes to classes: If a particular configuration file is managed by the CFEngine management system, system configurations can be applied to a class of servers.
    Example: “Open port 80 and 443 to the world on all servers in the MyWebServer Class."
  • Note: Not all system configuration files are managed by cfengine. Look at the Centralized Unix Configuration Information System to see which files are presently under cfengine control. If there are additional files you would prefer to have centrally managed, send an email to systems-support@cornell.edu.

Note: Even if a system is in a class, you can still assign userids or local configuration changes to individual servers. Use classes where possible.

To see which classes your system is in, look at our Centralized Unix Configuration Information System.

Accounts

Accounts in Server Farm SFAM include the following.

User Accounts

  • Interactive accounts with login, shell, and possibly sudo access.
  • No shared access; each account is either a NetID or a vendor account tied back to a particular person.

File Transfer ID Accounts

For transferring files between machines. Not used to execute commands.

  • Access allowed via FTP, Microsoft File Sharing (SAMBA), SCP/SFTP
  • No interactive (shell) access. No sudo. Process should not run under these IDs.
  • Password or SSH keys likely to be shared knowledge or hard-coded into applications.

Holding ID Accounts

Used to run processes and commands on a local machine. No remote access.

  • No direct login allowed. These accounts have no passwords and should not have SSH keys.
  • Users can "sudo su" to Holding ID accounts if temporary interactive access is needed.
  • Password-less sudo may be granted to these users for limited commands.
  • Processes are typically run under these accounts (Apache, MySQL, SourceForge, etc.).

Marshaling ID Accounts

For administrative purposes to manage a small group of machines.

  • Restricted to certain machines.
  • No direct login allowed.
  • No passwords. Access is SSH-key based, controlled by CF Engine.
  • Sudo rights are on a per command basis.
  • Should not perform the functions of a file transfer ID or a holding ID.

To request accounts:

Was this page helpful?

Your feedback helps improve the site.

Comments?