Locking user accounts
The Security Administrator can manually lock or unlock a user account at any time. By default, the superuser is exempt from the system-wide policy for manual or automatic account locking.
When a system is created, a single local user with Security Administrator privileges, called
superuser, is created. The superuser contains maximum privileges to complete system setup and
configuration. For new systems, the default superuser password must be changed on first login to the
system. Although the superuser cannot be deleted, you may want to lock or disable the superuser to
prevent access to the system. In addition, the following system-wide policies can be set:
- Automatic lock after (0-10) consecutive failed login attempts. A value of 0 means that the account does not lock because of failed login attempts.
- Set length of time auto-lock applies for (0-10080) minutes (7 days maximum). A value of 0 means that the account remains locked out indefinitely.
- Superuser account can be locked from general login.
Locking the superuser account
For systems with a dedicated technician port, the system supports locking the superuser account for environments with strict security requirements.
The superuser account is the only account on the system that can complete these tasks:
- The superuser account is the only user that exists in service mode and can access the service assistant or run or view service-related command-line operations (or satask sainfo commands).
- The superuser account is the only user that can run the system recovery procedure and the backup and restore system configuration procedure.
If you plan to allow the superuser account
to be locked, ensure that you complete the following tasks on the system:
- Enable Support Assistance
- Support assistance enables support personnel to access the system either remotely from the support center, or locally from a console. If the superuser account is locked, a support person can log in to service the system when Support Assistance is enabled.
- Ensure that password reset for the superuser account is enabled
- You must ensure that the superuser password can be rest if you plan on allowing locks on the superuser account. This feature is enabled by default. If this feature is not enabled, unlocking the account by resetting the password on the service assistant GUI or service command-line interface is not possible. Use the command svctask setpwdreset -enable to enable this feature.
- Ensure that an account with the role of SecurityAdmin exists
- Ensure that a separate account with the user role of SecurityAdmin exists, either locally or on a remote LDAP server. This account can be used to unlock the superuser account.
The following table describes different
use cases where the superuser account is locked and the possible recovery actions:
Locked superuser use case | Recovery action |
---|---|
Superuser account is locked after specified failed login attempts for a specified lockout time period. | Wait for the specified time for the lockout to expire and reattempt log in. |
Superuser account is locked after the specified login attempts but an indefinite lockout was selected,
or superuser account is manually disabled because it is not intended for use. |
Complete one of these tasks to unlock the superuser account:
|
Superuser account is locked after two person integrity (TPI) is enabled. | Complete one of these tasks to unlock the superuser account:
|