Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Publishing console to Active Directory

A Service Connection Point (SCP) enables a service to publish service-specific data in Active Directory which can then be used by network clients to locate, connect, and authenticate to an instance of the service. Management Console for Unix can create and register an SCP with Active Directory so that client applications (such as Control Center) can locate and browse to instances of the mangement console running on the network.

To publish an SCP with Active Directory, enable the setting in Console Information settings. When you enable this setting, Management Console for Unix creates an SCP as a child of the Active Directory computer object of the computer where Management Console for Unix server is running. Once created, the SCP contains the keywords and service binding information that allows clients to browse to the initial screen of the mangement console. That is, a client application searches the Global Catalog (GC) for the SCP containing the Management Console for Unix keywords and then uses the service URL to browse to the mangement console. Please keep in mind, that the ServiceConnectionPoint object will appear in the GC based on the replication policy (usually every 5 minutes); therefore, the client application (such as, Control Center) may not find it immediately after the SCP is published to Active Directory.

Note: You can only register an SCP if the mangement console is installed on a computer that is joined to Active Directory.

To publish the mangement console to Active Directory

  1. Log onto the mangement console using the supervisor account or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.
  2. From the top-level Settings menu, navigate to System settings | General | Console Information.

    The Management Console for Unix service uses the information displayed on this dialog to create and register the SCP with Active Directory.

  3. Under Publish console to Active Directory, select the Register a Service Connection Point with Active Directory option to publish the mangement console to Active Directory.

Note: If the Register a Service Connection Point with Active Directory option is disabled, see Cannot create a service connection point.

Changing supervisor account password

You can change your supervisor account password in System settings when you are logged in as supervisor.

To change supervisor account password

  1. Log onto the mangement console using the supervisor account.

  2. From the top-level Settings menu, navigate to System settings | General | Change Password.

  3. Enter your current supervisor account password and the new password.

  4. Click OK to save your changes and close System Settings.

Note: If you have forgotten the current supervisor account see Reset the supervisor password for more information on resetting your supervisor password.

Setting custom privilege elevation commands

You can specify up to three custom privilege elevation commands to use when performing tasks on hosts that require elevated privileges.

To set custom privilege elevation commands

  1. From the top-level Settings menu, navigate to System Settings | General | Custom Privilege Elevation.

  2. In the Custom Elevation box, enter the elevation command and any optional parameters required by the command. For example:

    /opt/quest/bin/pmrun

    Note: Enter the full path to the command if the command is not in the system's path.

  3. Optionally, select the Use single quotes for command arguments option if the command requires arguments in quotes.

    For example, the sudo command does not require arguments in quotes, like this:

    # sudo echo bob

    Whereas the su command does require arguments in quotes, like this:

    # su root -c "echo bob"

  4. To specify another user instead of root when performing tasks on hosts that require elevated privileges, replace root with "%s" as in:

    # su %s -c "echo bob"

    Enter "%s" to specify a user name other than root to use elevated credentials. In the Log On To Host dialog, when you select the Use elevated credentials option, you can replace root with another account in the User name field.

  5. Optionally, click Test to validate that the command works.

    On the Test Privileged Elevation Command dialog,

    1. Enter or select a host where the command exists.

    2. Enter user credentials and click Test.

      A message displays to explain whether the test was successful or not.

  6. Click OK to save the changes.

When a test for a command completes successfully, it becomes available on the Log On To Host dialog. (Search for Log On To Host in the online help for details.)

Console Roles and Permissions system settings

What a user sees in the mangement console is based on the rules that pertain to the console role the user is assigned. A user can only access and perform tasks specified for his roles. The default supervisor account is a member of all roles, however, that account is blocked from performing Active Directory tasks because the supervisor does not have Active Directory credentials.

Note: While all console roles, except supervisor, have permission to view the Active Directory tab, to perform certain Active Directory tasks, such as Unix-enabling an Active Directory user or group, the AD user assigned to the role must have the appropriate rights in Active Directory.

To access and perform tasks within the mangement console, assign users to one or more of the following console roles:

Note: All roles run reports. See Reports for more information about the reports that are available for each role.

Table 17: Console roles and permissions
Role Description Default Permissions Available UI
Manage Hosts Members can add, view, and manage hosts, as well as run reports.
  • View hosts
  • Manage hosts
  • Hosts tab
  • All Local Users tab
  • Active Directory tab
  • Reporting tab
Manage Sudo Policy Members can view and edit the sudoers policy file, run reports, and access a read-only view of all hosts.
  • View hosts
  • Edit Sudoers Policy
  • Hosts tab (view hosts only)
  • Policy | Sudo Policy Editor view
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Audit Sudo Policy Members can audit sudo policy through reports, replay keystroke logs, and access a read-only view of all hosts.
  • View hosts (read-only)
  • View and replay keystroke logs
  • Hosts tab (view hosts only)
  • Policy | PM Policy Editor view
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Console Administration Members can modify console System Settings and access a read-only view of all hosts.
  • View hosts (read-only)
  • Manage console System Settings
  • Hosts tab (view hosts only)
  • Active Directory tab
  • Settings | System settings view
    • General settings
    • Console Information settings
    • Privilege Manager settings
    • Active Directory settings
    • Licenses settings
Manage Console Access Members can add and remove members of console roles, run reports, and access a read-only view of all hosts.
  • View hosts (read-only)
  • Set console permissions (Roles and Permissions)
  • Hosts tab (view hosts only)
  • Active Directory tab
  • Reports tab to access only the Console Access and Permissions report
  • Settings | System settings view
    • Console Roles and Permissions settings
Manage PM Policy Members can view and edit the Privilege Manager policy, run reports, and access a read-only view of all hosts.
  • View hosts
  • Edit PM Policy
  • Hosts tab (view hosts only)
  • Policy | Edit Policy view
  • Policy | Event Logs view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Audit PM Policy Members can audit Privilege Manager policy through reports, replay keystroke logs, and access a read-only view of all hosts.
  • View hosts (read-only)
  • View and replay keystroke logs
  • Hosts tab (view hosts only)
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Reporting Members can run and view all reports and access a read-only view of all hosts.

  • View hosts (read-only)
  • View and produce any report

  • Hosts tab (view hosts only)
  • Active Directory tab
  • Reports tab to access reports

Note: Management Console for Unix does not allow you to add domain-local Active Directory groups to roles; you can only add security-enabled global and universal groups.

Documents connexes