The following accounts provide permission to modify, maintain, and repair the Authentication Manager deployment. Quick Setup creates these accounts with information that you enter. If you plan to record the logon credentials for these accounts, be sure that the storage method and location are secure.
Authentication Manager Administrator Accounts
The following table lists the administrator accounts for Authentication Manager. The administrator who deploys the primary instance creates these accounts during Quick Setup.
Super Admins can perform all administrative tasks in the Security Console with full administrative permission in all security domains in the deployment.
Any Super Admin can create other Super Admin users in the Security Console. The Super Admin also creates the security domain hierarchy, and links identity sources to the deployment.
An Operations Console administrator can recover a Super Admin account if no Super Admin can access the system.
Operations Console administrator
Operations Console administrators can perform administrative tasks in the Operations Console. Operations Console administrators also use command line utilities to perform some procedures, such as recovering the Super Admin account. Command line utilities require the appliance operating system account password.
Some tasks in the Operations Console also require Super Admin credentials. Only Super Admins whose records are stored in the internal database are accepted by the Operations Console.
Any Super Admin can create and manage Operations Console administrators in the Security Console. For example, you cannot recover a lost Operations Console administrator password, but a Super Admin can create a new one.
Operations Console administrator accounts are stored outside of the Authentication Manager internal database. This ensures that if the database becomes unreachable, an Operations Console administrator can still access the Operations Console and command line utilities.
User IDs for a Super Admin and a non-administrative user are validated in the same way. A valid User ID must be a unique identifier that uses 1 to 255 ASCII characters.
A valid User ID for an Operations Console administrator must be a unique identifier that uses 1 to 255 ASCII characters. The characters @ ~ are not allowed, and spaces are not allowed.
Note: Create an Operations Console administrator account for each Operations Console user. Do not share account information, especially passwords, among multiple administrators.
Appliance Operating System Account
The appliance operating system account User ID is rsaadmin. This User ID cannot be changed. You specify the operating system account password during Quick Setup. You use this account to access the operating system when you perform advanced maintenance or troubleshooting tasks. The rsaadmin account is a privileged account to which access should be strictly limited and audited. Individuals who know the rsaadmin password and who are logged on as rsaadmin have sudo privileges and shell access.
Every appliance also has a root user account. This account is not needed for normal tasks. You cannot use this account to log on to the appliance.
You can access the operating system with Secure Shell (SSH) on a hardware appliance or a virtual appliance. Before you can access the appliance operating system through SSH, you must use the Operations Console to enable SSH on the appliance.
For instructions, see Enable Secure Shell on the Appliance.
On a virtual appliance, you can access the appliance operating system with the VMware vSphere Client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.
An Operations Console administrator can change the operating system account password, rsaadmin, in the Operations Console.
RSA does not provide a utility to recover the operating system password.