Administering the Kerberos Server
The admin_acl_file File
Chapter 8118
NOTE IRDid is equivalent to the IRD permissions because the uppercase
permissions (excluding the r and R modifiers) apply to all realms.
In either case, administrative principals can delete any principal
from their own realm, but they have restricted delete privileges in
realms other than their own.
For example, administrative principals with IDRm or IDRidm
permissions assigned have restricted delete permissions in all other
realms but their own, but they can modify and delete any principal
in their own realm.
• The Rr modifiers restrict permissions for all principals in
admin_acl_file for all realms supported by the primary security
server. For example, administrative principals with IMRimr
permission assigned cannot modify principals included in
admin_acl_file in any realm, including their own. They can only
modify principals that are not included in admin_acl_file.
• The e, E, g, and G permissions are not affected by the r, R, and Rr
modifiers.
• Administrative principals assigned with the icr or ICRicr
permission are still able to change their own passwords using the
administrative tools.
Permissions other than c and C are restricted for the restricted
administrative principals. For instance, principals assigned with the
imr permission are not able to modify their own principal accounts.
An administrative principal with r or R in combination with e or E
can use the Kerberos administrative utilities to remove the r
modifier from their admin_acl_file entry, for example: ier, IER,
IERr, or IEr. Do not assign these permission combinations.
• Administrative principals assigned with the ic, icr, IC, or ICR
permission are able to change principal attributes and extract
service keys in addition to changing principal passwords. According
to the r and R modifier rules, restricted administrators can only
make the principal accounts, which are not included in
admin_acl_file, perform these actions.
