Direct login with an administrator role

Occasionally it is desirable to allow normal users to log in as administrators at the console or via SSH. This may be necessary if several people are acting as administrators, but the central password of a particular administrator role should not be made accessible to a larger group of people in distributed organisational structures. If a user belongs to a specific user group on TightGate-Pro, he or she can log in immediately with his or her regular password and automatically receives the privileges of the respective administrator role.

For this purpose, the administrator maint must first create the necessary, special groups in the group administration of TightGate-Pro. According to their purpose, these groups must have the following names beginning with "tgadmin":

GroupDescription
tgadmin config Group members can work as administrator config .
tgadmin maint Group members can work as administrator maint .
Exception: Group members cannot create or modify groups for direct login with an administrator role.
tgadmin update Group members can act as administrator update .
tgadmin backuser Group members can act as administrator backuser .
tgadmin security Group members can act as administrator security .
tgadmin root Group members can act as administrator root .

All user IDs that are also to be authorised to log in with an administrator role are to be added to the respective groups. This may only be done by the actual administrator maint , not by a member of the existing group tgadmin maint .

Afterwards, the user can log in with all administrator roles that are defined by his or her membership in the respective tgadmin groups. Instead of his user ID user alone, an identifier according to the scheme user+admin role is given at the login prompt, for example test user+maint . The password to be used corresponds to the user's regular password. The password of the actual administrator role adminrolle is not required for the login of a regular user.

Hinweis

The accesses of a user logged in this way with increased privileges are logged.