The following accounts provide permission to modify, maintain, and repair the Authentication Manager deployment. Quick Setup creates these accounts with information that you enter. If you plan to record the logon credentials for these accounts, be sure that the storage method and location are secure.
The following table lists the administrator accounts for Authentication Manager. The administrator who deploys the primary instance creates these accounts during Quick Setup.
Super Admins can perform all administrative tasks in the Security Console with full administrative permission in all security domains in the deployment.
Any Super Admin can create other Super Admin users in the Security Console. The Super Admin also creates the security domain hierarchy, and links identity sources to the deployment.
An Operations Console administrator can recover a Super Admin account if no Super Admin can access the system.
Operations Console administrator
Operations Console administrators can perform administrative tasks in the Operations Console. Operations Console administrators also use command line utilities to perform some procedures, such as recovering the Super Admin account. Command line utilities require the appliance operating system account password.
Some tasks in the Operations Console also require Super Admin credentials. Only Super Admins whose records are stored in the internal database are accepted by the Operations Console.
Any Super Admin can create and manage Operations Console administrators in the Security Console. For example, you cannot recover a lost Operations Console administrator password, but a Super Admin can create a new one.
Operations Console administrator accounts are stored outside of the Authentication Manager internal database. This ensures that if the database becomes unreachable, an Operations Console administrator can still access the Operations Console and command line utilities.
User IDs for a Super Admin and a non-administrative user are validated in the same way. A valid User ID must be a unique identifier that uses 1 to 255 ASCII characters.
A valid User ID for an Operations Console administrator must be a unique identifier that uses 1 to 255 ASCII characters. The characters @ ~ are not allowed, and spaces are not allowed.
RSA recommends the following best practices for administrative accounts:
Create a separate administrative account for each administrator, for example, create a separate Operations Console administrator account for each Operations Console user. Do not share account information, especially passwords, among multiple administrators.
RSA does not recommend associating administrative roles with external LDAP or Active Directory user accounts. Use separate administrative accounts with their own credentials for external identity source administrators and Authentication Manager administrators.
If you have multiple administrators, restrict the scope and permissions of Authentication Manager administrative accounts, and restrict access by dividing your deployment into security domains. Separation of privileges is especially important if you are using LDAP or Active Directory users as administrators.
If administrative roles in Authentication Manager are associated with an external LDAP account, a specific role. with appropriate limiting controls, should be used. For instructions, see Administrative Role Scope and Permissions.
The appliance operating system account User ID is rsaadmin. This User ID cannot be changed. You specify the operating system account password during Quick Setup. You use this account to access the operating system when you perform advanced maintenance or troubleshooting tasks. The rsaadmin account is a privileged account to which access should be strictly limited and audited. Individuals who know the rsaadmin password and who are logged on as rsaadmin have sudo privileges and shell access.
Every appliance also has a root user account. This account is not needed for normal tasks. You cannot use this account to log on to the appliance.
You can access the operating system with Secure Shell (SSH) on a hardware appliance or a virtual appliance. Before you can access the appliance operating system through SSH, you must use the Operations Console to enable SSH on the appliance.
On a VMware virtual appliance, you can also access the appliance operating system with the VMware vSphere Client. On a Hyper-V virtual appliance, you can also access the appliance operating system with the Hyper-V System Center Virtual Machine Manager Console or the Hyper-V Manager.
An Operations Console administrator can change the operating system account password, rsaadmin, in the Operations Console.
RSA does not provide a utility to recover the operating system password.