Configure user access

During WebSEAL installation, the WebSEAL configuration process automatically creates several groups for use by the switch user functionality. The WebSEAL administrator controls switch user capability by adding users to the groups.

To configure user access, complete the following steps:

Steps

1. Add users to the su-admins group.
   To use switch user function, a user must be a member of a special administrative group called su-admins. This group is automatically created by default during installation of a WebSEAL server. There are no users in this group by default. The WebSEAL administrator must manually add users to this group. Typically, only administrative users are added to this group.
   
   Users who have been granted membership in su-admins can switch user to most other user identities, but cannot switch to the identity of any other user that is also a member of the su-admins group. Therefore, as soon as an administrator is granted switch user privileges by being added to su-admins, the administrator's account is protected from access by any other user that gains switch user privileges.
   

2. Add users to the su-excluded group
   This group contains the names of users whose identities should not be accessed through the switch user capability. During WebSEAL installation, the WebSEAL configuration process automatically creates this group. There are no users in this group by default. A WebSEAL administrator typically adds to this group the names of users who are not members of the administrative group su-admins, but for whom switch user access should still be blocked
   

When switch user is used, WebSEAL also checks the memberships of the ISAM group called securitygroup. This group contains the name of the ISAM administrative user sec_master, plus a number of WebSEAL processes that must be excluded from access through switch user capability.

The securitygroup group is automatically created by default during installation of a WebSEAL server. The following identities are automatically added to this group during installation:

• sec_master — the ISAM administrator
• acld — the ISAM authorization server daemon
• webseald — the WebSEAL daemon

WebSEAL administrators should not add any users to the securitygroup group. To control user access to switch user, use either su-admins or su-excluded.

Parent topic: Configuration of switch user authentication