Thanks Michael, the information was very informative. (really help
transitioning from raq4 to bluequartz)
--- Michael Stauber <bq (at mark) solarspeed.net> wrote:
> Hi Mike,
>
> > Where/how do I put a .htaccess file to limit access to Admin/Site
> > administrator of the main server and specific site/s? (something similar
> > to /etc/hosts.allow and hosts.deny to filter ssh services, etc.) Does
> > anyone here do something similar but with different methods?
>
> That is not necessary on BlueQuartz. The GUI handles this already by itself
> and all GUI pages have checks in them to make sure that they only are
> accessible by users with the right privileges.
>
> Users must exist in the PAM database (or must be identifyable through PAM)
> and
> must be recorded in CODB to be able to use the GUI. The level of access a
> user may have is stored in CODB for each users and privilege levels are
> defined through grantable "capabilities".
>
> Typical grantable capabilities on a BlueQuartz are:
>
> modifyEmail
> modifySnmp
> modifyFtp
> modifyServerSWUpdate
> destroySWUpdateServer
> destroyPackage
> createPackage
> modifyTelnet
> siteAdmin
> modifyAsp
> modifyPackage
> modifyArkeia
> modifySystemTime
> modifyNetBackup
> siteFrontpage
> modifyHttpd
> adminBlueLinq
> ipPooling
> controlPower
> scanDetection
> siteAnonFTP
> createSWUpdateServer
> serverBackup
> dnsAdmin
> siteSSL
> systemMonitor
> modifyDNS
> webServices
> adminUser
> overflow
> networkServices
> modifyJava
> modifyNetWorker
> modifySWUpdateServer
> siteShell
> serverConfig
>
> On BlueQuartz you have up to four levels of privilege groups, or users of
> four
> different privilege classes:
>
> Regular user: Has only access to "Personal Profile" to modify his email
> settings (forwarder, auto-responder), password and GUI settings.
>
> SiteAdmin: Has access to the user management of his site, can access his
> sites
> settings read only, has access to the statistics of his site and may
> (optionally) modify the DNS records of his site.
>
> Extra-Admin: May manage the server with (almost) equal privileges to
> user "admin". Can be granted the power to reboot, to allocate IPs and may
> have optional "root" shell access.
>
> Admin: Can use any feature of the GUI and can use "root" shell access without
>
> jumping through loops.
>
> Based on which privilege class a user belongs to the more "capabilities" from
>
> the above list he has. Admin has access to all capabilities, Extra-Admin has
> almost all, siteAdmin's have a few (but are restricted to the site they
> belong to) and a regular user has the least.
>
> The powers of regular users and siteAdmins are quite limited and the GUI is
> very resilent to not disclose information to users which they're not supposed
>
> to see. So a user cannot access stuff of other users and siteAdmins can see
> only stuff of their own site, but not that of any other site or of any user
> not belonging to their site.
>
> --
> With best regards,
>
> Michael Stauber
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ