Managing Shell Access

Information and instructions about managing users' access to our VMs' UN!X shells.

Contents

  1. Managing Shell Access
    1. Group Manager
    2. Adding a New Shell User
      1. Get a Duke NetID
      2. Create a "Per-User" Group for the User
      3. Add to Other Relevant Groups
      4. Contact OIT about Linking the New Group
      5. Create an Account on the VM

These instructions assume that you are already a member of the "alberts_lab_admins" group. If you are not and need to be, ask someone who is a member for help.

Group Manager

A user's access to a VM is determined by his/her Duke NetID's membership in a specific access group. To manage users' membership in these groups, use Duke's Group Manager.

Managing users in a group is a pretty simple task. See Adding a Babase User and Removing a Babase User for an example how to do this in the "babase users" group.

Adding a New Shell User

Granting shell access for a particular VM takes a few steps.

Get a Duke NetID

A user needs a Duke NetID before we can grant any access for that NetID. Non-Duke users can be sponsored for an "affiliate" NetID by Duke faculty members.

Create a "Per-User" Group for the User

Each user with shell access needs to be the sole member of a private group whose name is "biology-systems-[their NetID]" (So NetID abc123 will be in group "biology-systems-abc123"). This is needed because [REASONS].

After logging in to the Group Manager, hit the "Create a Group +" button near the top of the window. Two fields will appear. Set the "Group Display Name" to match the new user's NetID. Write the "Group Description" using the format: 

Private group for Firstname Lastname, NetID xxx123. S/he must be the sole member of this group.

When finished, hit "Submit". You will be brought to a new window to manage more details about the new group.

Under "Group Owners (1):", hit the "Manage group owners +" button, then "Add Group as Owner +". In the field that opens, type "biology-systems-alberts_lab_admins" and hit "Submit". Next, find your name listed among the group owners, and hit "remove".

Next, hit the "Manage group options +" button. In the table that opens up, switch "Sync to WIN Active Directory" and "Make Public in Grouper" to the "on" position.

The namesake user should actually be a member of the group. Under "Group Members", hit "Add Individual Member +" and add him/her as the sole member of the group.

Add to Other Relevant Groups

Depending on the VM to which you're granting access and the level of access you want to grant, there are other groups to which the new user should be added. A user with shell (but not sudo) access to Papio should be in the "papio_shell_users" group, for example.

Note that it is possible to add whole groups as members of another group. When a user is granted membership to a group because of his/her membership in another group, it is not necessary to also add that person to the group individually. Avoid redundantly adding individuals to a group.

Contact OIT about Linking the New Group

[I feel like an explanation of "why" should be added here. I don't have enough information to provide that.]

Contact Darrell Cooley in Duke Biology OIT and ask him to link the new "per-user" group to [I DON'T KNOW WHAT].

Create an Account on the VM

[Add instructions about how to sudo in and create a new user]

managingShellAcess (last edited 2017-03-02 20:04:47 by JakeGordon)

Wiki content based upon work supported by the National Science Foundation under Grant Nos. 0323553 and 0323596. Any opinions, findings, conclusions or recommendations expressed in this material are those of the wiki contributor(s) and do not necessarily reflect the views of the National Science Foundation.