User's Work Environment
Besides having a home directory to create and store files, users need
an environment that gives them access to the tools and resources they need
to do their work. When a user logs in to a system, the user's work environment
is determined by initialization files that are defined by the user's startup
shell, such as the C, Korn, or Bourne shell.
A good strategy for managing the user's work environment is to provide
customized user initialization files, such as .login, .cshrc, .profile, in the user's home directory.
For detailed information about customizing user initialization files for users,
see Customizing a User's Work Environment. After you create the customized user
initialization files, you can add them to a user's home directory when you
create a new user account.
A recommended one-time task is to set up skeleton
directories on a server. You can use the same server where the user's home
directories are stored. The skeleton directories enable you to store customized
user initialization files for different types of users.
Note - Do not use system initialization files, such as /etc/profile or /etc/.login, to manage a user's work
environment, because they reside locally on systems and are not centrally
administered. For example, if AutoFS is used to mount the user's home directory
from any system on the network, you would have to modify the system initialization
files on each system to ensure a consistent environment when a user moved
from system to system.
Another way to customize user accounts is through role-based access
control. See "Role-Based Access Control (Overview)" in System Administration
Guide: Security Services for more information.
Guidelines for Managing Groups
A group is a collection of users who can share
files and other system resources. For example, a set of users that are working
on the same project could be formed into a group. A group is traditionally
known as a UNIX group.
Each group must have a name, a group identification (GID) number, and
a list of user names that belong to the group. A GID identifies the group
internally to the system. The two types of groups that a user can belong to
are:
Primary group - Specifies a group that the operating
system assigns to files created by the user. Each user must belong to a primary
group.
Secondary groups - Specifies one or more groups to which
a user also belongs. Users can belong to up to 15 secondary groups.
Sometimes a user's secondary group is not important. For example, ownership
of files reflect the primary group, not any secondary groups. Other applications,
however, might rely on a user's secondary memberships. For example, a user
has to be a member of the sysadmin group (group 14) to use the Admintool software,
but it doesn't matter if group 14 is his or her current primary group.
The groups command lists the groups that a user belongs
to. A user can have only one primary group at a time. However, a user can
temporarily change the user's primary group, with the newgrp
command, to any other group in which the user is a member.
When adding a user account, you must assign a primary group for a user
or accept the default group, staff (group 10). The primary
group should already exist. If the primary group does not exist, specify the
group by a GID number. User names are not added to primary groups. If user
names were, the list might become too long. Before you can assign users to
a new secondary group, you must create the group and assign it a GID number.
Groups can be local to a system or can be managed through a name service.
To simplify group administration, you should use a name service like NIS or
a directory service like LDAP, which enables you to centrally manage group
memberships.
Tools for Managing User Accounts and Groups
The following table lists the recommended tools for managing users and
groups. These tools are all included in the Solaris Management Console suite
of tools. For information about starting and using the Solaris Management
Console, see Chapter 2, Working With the Solaris Management Console
(Tasks).
Table 4-4 Tools for Managing Users and Groups
Solaris Management Tool | Is Used To | Task Information |
|---|
Users | Manage users. | Solaris Management Console Online Help |
User Templates | Create a set
of attributes for a specific kind of user like students, engineers, or instructors. | Solaris Management Console Online Help |
Rights | Manage RBAC rights. | Solaris Management Console Online Help |
Administrative Roles | Manage
RBAC administrative roles. | Solaris Management Console
Online Help |
Groups | Manage group information. | Solaris Management Console Online Help |
Projects | Manage project information. | Solaris Management Console Online Help |
Mailing Lists | Manage mailing
lists. | Solaris Management Console Online Help |
For information on the Solaris management commands that can be used
to manage user accounts and groups if you are not using the Solaris Management
Console, see Table 1-6. These commands provide the
same functionality as the Solaris management tools, including authentication
and name service support.
What You Can Do With Solaris User Management Tools
The Solaris user management tools enable you to manage user accounts
on a local system or in a name service environment.
This table describes the tasks you can do with Users Tool's User Accounts
feature.
Table 4-5 User Account Management Tasks
Task | Description | Background Information |
|---|
Add a user | You can add a user
to the local system or name service. | What Are User Accounts and Groups? and Guidelines for Managing User Accounts |
Create a user Template | You can create a template of pre-defined user
attributes for creating users of the same group, such a users, contractors,
or engineers. | Same as above |
Add a user with a user template | You can add a user with a template so that
user attributes are pre-defined. | Same as above |
Clone a user template | Clone a user template if you would like to
use a similar set of pre-defined user attributes. Then, change only some of
the attributes as needed. | Same
as above |
Set up user properties | You can set up user properties in advance
of adding users such as whether a user template is used when adding a user
and whether the home directory or mail box is deleted by default when removing
a user. | Same as above |
Add multiple users | You can add multiple users to the local system or
name service by specifying a text file, typing each name, or automatically
generating a series of user names. | Same as above |
View or change user properties | You can view or change user properties like
login shell, password, or password options. | Same as above |
Assign rights to users | You can assign rights to users that will allow
them to perform specific administration tasks. | Same as above |
Remove a user | You can remove the user from the local system or the name service and optionally
specify whether the user's home directory or mail is removed. The user is
also removed from any groups or roles. | Same as above |
Table 4-6 User Rights Management Tasks
Task | Description | Background Information |
|---|
Grant a right | You can grant a user
a right to run a specific command or application that was previously only
available to an administrator. | "RBAC Rights
Profiles" in System Administration Guide: Security Services |
View or change existing rights Properties | You can view or change existing rights. | Same as above |
Add an authorization | You can
add an authorization, which is a discrete right granted to a role or a user. | "RBAC Authorizations" in System Administration Guide: Security Services |
View or change an authorization | You can view or change existing authorizations. | Same as above |
Table 4-7 User Role Management Tasks
Task | Description | Background Information |
|---|
Add an administrative role | You
can add a role that someone would use to perform a specific administrative
task. | "RBAC Roles" in System Administration Guide: Security Services |
Assign rights to an administrative role | You can assign specific rights
to a role that enable someone to perform a task. | Same as above |
Change an administrative role | You can add or remove rights from a role. | Same as above |
Table 4-8 Group Management Tasks
Task | Description | |
|---|
Add a group | Add a group to the
local system or name service so that the group name is available before you
add the user. | Guidelines for Managing Groups |
Add a user to a group | Add a user
to a group if the user needs access to group-owned files. | Same as above |
Remove a user from a group | You
can remove a user from a group if the user no longer requires group file access. | Same as above |
Table 4-9 Project Management Tasks
Task | Description | Background Information |
|---|
Create or clone a project | You
can create a new project or clone an existing project if it has attributes
similar to what you need for the new project. | Solaris Management Console online help |
Modify or view project attributes | You can view or change existing project attributes. | Solaris Management Console online help |
Delete a project | You can remove
a project if it is no longer used. | Solaris Management Console online help |
Table 4-10 Mailing List Management Tasks
Task | Description | Background Information |
|---|
Create a mailing list | You can
create a mailing list, which is a list of names for sending email messages. | Solaris Management Console
online help |
Change a mailing list name | You
can make changes to the mailing list after it is created. | Solaris Management Console online help |
Remove a mailing list | You can
remove a mailing list if it is no longer used. | Solaris Management Console online help |
Managing Home Directories With the Solaris Management Console
Keep the following in mind when using the Solaris Management Console
tools to manage user home directories:
If you use the Users Tool's Add User Wizard to add a user
account and you specify the user's home directory as /export/home/username, the home directory is automatically
setup to be automounted, and the following entry is added to the passwd file:
The only way you can use Users Tool to set up a user account
that does not automount the home directory is to set up a user account template
that disables this feature. Then, you can add users with this template. There
is no way to disable this feature with the Add User Wizard.
You can use the smuser add command with
the -x autohome=N option to add a user without automounting
the user's home directory. However, there is no option to the smuser
delete command to remove the home directory after the user is added.
You would have to remove the user and the user's home directory with the Users
Tool.
Modify User Accounts
Unless you define a user name or UID number that conflicts with an existing
one, you should never need to modify a user account's login name or UID number.
Use the following steps if two user accounts have duplicate user names or
UID numbers:
If two user accounts have duplicate UID numbers, use the Users
Tool to remove one account and re-add it with a different UID number. You
cannot use the Users Tool to modify a UID number of an existing user account.
If two user accounts have duplicate user names, use the Users
Tool to modify one of the accounts and change the user name.
If you do use the Users Tool to change a user name, the home directory's
ownership is changed, if a home directory exists for the user.
One part of a user account that you can change is a user's group memberships.
Select Properties from Users Tool's Action menu to add or delete a user's
secondary groups. Alternatively, you can use the Groups Tool to directly modify
a group's member list.
You can also modify the following parts of a user account:
| 
Previous