Server Farm Account Management
Server Farm Account Management (SFAM) centrally manages Unix users and access rights across the CIT server farm.
This article applies to: Managed Servers
Server Farm Account Management (SFAM) is the method for centrally managing Unix users and access rights across the CIT server farm. The simplified account structure employs user Roles and server Classes to streamline authorization.
Roles and Classes
Roles are used to assign access rights and sudo privileges to users with similar job functions. Instead of giving a user access to hosts A, B, and C, we determine what function that user is performing and craft a role (or multiple roles) to encapsulate that function, for example PeopleSoft DBA or NetVigil Administrator. The benefit of assigning roles comes when other users need to be added to an existing job function.
Note: Users can be added to systems without putting them into Roles. Use Roles, where possible, to simplify management of multiple systems.
To see which roles your system is in, look at Centralized Unix Configuration Information System.
Uses for classes:
Mapping Roles to classes: Allows you to take a group of servers, and assign roles (groups of people) to them.
Example: “Assign everyone in the DBA role to all servers in the DatabaseServers class.”
Assigning configuration changes to classes: If a particular configuration file is managed by the CFEngine management system, system configurations can be applied to a class of servers.
Example: “Open port 80 and 443 to the world on all servers in the MyWebServer Class."
- Note: Not all system configuration files are managed by cfengine. Look at the Centralized Unix Configuration Information System to see which files are presently under cfengine control. If there are additional files you would prefer to have centrally managed, send an email to firstname.lastname@example.org.
Note: Even if a system is in a class, you can still assign userids or local configuration changes to individual servers. Use classes where possible.
To see which classes your system is in, look at our Centralized Unix Configuration Information System.
Accounts in Server Farm SFAM include the following.
- Interactive accounts with login, shell, and possibly sudo access.
- No shared access; each account is either a NetID or a vendor account tied back to a particular person.
File Transfer ID Accounts
For transferring files between machines. Not used to execute commands.
- Access allowed via FTP, Microsoft File Sharing (SAMBA), SCP/SFTP
- No interactive (shell) access. No sudo. Process should not run under these IDs.
- Password or SSH keys likely to be shared knowledge or hard-coded into applications.
Holding ID Accounts
Used to run processes and commands on a local machine. No remote access.
- No direct login allowed. These accounts have no passwords and should not have SSH keys.
- Users can "sudo su" to Holding ID accounts if temporary interactive access is needed.
- Password-less sudo may be granted to these users for limited commands.
- Processes are typically run under these accounts (Apache, MySQL, SourceForge, etc.).
Marshaling ID Accounts
For administrative purposes to manage a small group of machines.
- Restricted to certain machines.
- No direct login allowed.
- No passwords. Access is SSH-key based, controlled by CF Engine.
- Sudo rights are on a per command basis.
- Should not perform the functions of a file transfer ID or a holding ID.
To request accounts: