Locking and unlocking superuser accounts

A Security Administrator can manually lock or unlock a user account at any time. By default, the superuser is exempt from the system-wide policy for manual or automatic account locking.

For systems with a dedicated technician port, the system supports locking the superuser account for environments with strict security requirements.

When a system is created, a single local user with Security Administrator privileges, called superuser, is created. The superuser contains maximum privileges to complete system setup and configuration. For new systems, the default superuser password must be changed on first login to the system. Although the superuser cannot be deleted, you may want to lock or disable the superuser to prevent access to the system.

The superuser account is the only account on the system that can complete these tasks:
  • The superuser account is the only user that exists in service mode. This user can access the service assistant to run service-related command-line operations, such as (satask and sainfo commands).
  • The superuser account is the only user that can run the system recovery procedure and the backup and restore system configuration procedure.

Other Security Administrator accounts cannot complete these service tasks. If the superuser account is locked, then these service actions are unavailable until the superuser account is unlocked.

If you plan to allow the superuser account to be locked, consider completing the following tasks on the system to ensure that superuser access can be restored when needed:
Enable Support Assistance
Support assistance enables support personnel to access the system either remotely from the support center, or locally from a console. If the superuser account is locked, a support person can log in to service the system when Support Assistance is enabled.
Ensure that password reset for the superuser account is enabled
You must ensure that the superuser password can be reset if you plan on allowing locks on the superuser account. This feature is enabled by default. If this feature is not enabled, unlocking the account by resetting the password on the service assistant GUI or service command-line interface is not possible. Use the command svctask setpwdreset -enable to enable this feature.
Ensure that an account with the role of SecurityAdmin exists
Consider creating a separate account on the system with the user role of SecurityAdmin, either locally or on a remote LDAP server. This account can be used to unlock the superuser account.