Merge "User Management GUI/CLI/RESTAPI Enhancements --- Deletion Restriction"

doc/source/security/kubernetes/keystone-accounts.rst

@@ -9,3 +9,31 @@ Keystone Accounts
 |prod-long| uses Keystone for authentication and authorization of users of the
 StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker
 Registry. |prod|'s Keystone uses the default local SQL Backend.
+
+--------------------------------------
+System-Critical Keystone User Accounts
+--------------------------------------
+
+The following Keystone user accounts are system-critical and cannot be deleted:
+
+- ``admin``
+- ``mtce``
+- ``fm``
+- ``barbican``
+- ``sysinv``
+- ``patching``
+- ``dcorch``
+- ``vim``
+- ``dcagent``
+- ``dcmanager``
+- ``dcdbsync``
+- ``smapi``
+- ``usm``
+
+.. note::
+
+    These Keystone user accounts are essential for the operation and management of the
+    platform. Deleting or modifying these accounts could lead to unexpected
+    behavior or system instability.
+
+

doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst

@@ -121,3 +121,16 @@ from the console ports of the hosts; no |SSH| access is allowed.
 .. seealso::
 
     :ref:`Create LDAP Linux Accounts <create-ldap-linux-accounts>`
+
+---------------------------------------------------------
+Configure Restricted Sudo Capability for Local LDAP Users
+---------------------------------------------------------
+
+You can grant restricted sudo capability to the local |LDAP| users by assigning
+them to the sys_admin group. This can be configured using the |PAM| configuration method.
+
+Add ``sudo;*;*;Al0000-2400;sys_admin`` to ``/etc/security/group.conf``.
+
+Ensure that the pam_group module is enabled in the |PAM| stack (example: by
+modifying ``/etc/pam.d/sudo``) with ``auth required pam_group.so``.
+