System Administrator guide: Using sugroup to control su access (1)

Using sugroup allows the system administrator to restrict who can access which account by using su through group members. You can use the NOT operator to further restrict access control. When being audited, you need to report on the sugroup members and the accounts they can access using su. This includes generating access reports for sugroup members, which are generally compliance tasks.

Sugroup Overview

The system administrator can provide su access to another user without canceling the current account. Generally, users can temporarily switch to another account by setting the su account, such as the root user or application owner. However, as the workload of applications increases, the system maintenance overhead will also increase. You can use sugroup to simplify su permission management, because it processes groups rather than a large number of individual users.

Using sugroup allows the system administrator to group some users and grant them the right to access different accounts through su. Whether the user is an AIX®The members of the Group determine whether they have su access. When creating a user, you can specify a sugroup through user attributes. Only members of this group can become users through su. Of course, the user executing su needs to know the password. Other users that do not belong to the specified sugroup cannot change to this user through su, even if they know the user password.

Some system security policies may not allow Password Disclosure to other users. In this case, you can use sudo. This issue will be discussed later.