One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Modifying Privilege Manager role properties

Once you open a Privilege Manager policy, the console lists the roles and restricted shell roles associated with it.

To modify Privilege Manager role properties

  1. From the PM Policy Editor view, double-click a role, select it and click Properties, or right-click the role and choose Properties from the context menu.

    To find a particular policy role,

    • Type a string in the Search for role box for either a name or a description. (This is case sensitive and searches dynamically.)
    • Sort or filter the list of roles by type (enabled roles, disabled roles, enabled shell roles, or disabled shell roles) from the Role state column represented with the exclamation mark (!).
    • Click a column title to sort the list of roles by name or description.

    Note: Disabled roles are greyed out. However, you can modify or delete disabled roles.

    When a role opens, the Edit Role dialog displays.

    See Adding a Privilege Manager role or Add a Privilege Manager restricted shell role for details about the role properties.

Overriding role property defaults

If a role property has a global default, it will be indicated by the "default override" check box to the left of the property, in a green background, and the default role property to the right, in a disabled state. If a property does not have a "default override" check box, there is no global default for that property. For example, the following screen indicates the Enable role property does not have a global default, but the Enable keystroke logging property does. The default for the Enable keystroke logging property is Enabled.

To override a global default

  1. Select the override check box, change the role property, as needed, and click OK.

    When you override the global default, the value you specify takes precedence over the global default and remains effective even if the global default changes.

    NoteS:

    • If you leave the global override check box deselected, the role uses the global default automatically. In the example above, the new role will have keystroke logging enabled and create the keystroke log in /var/opt/quest/qpm4u/iolog/ even though the override check boxes are not selected. If you always want keystroke logging to be enabled for this role even if the global default is changed in the future, select the override check box and leave the Enable keystroke logging option selected.
    • You can set a global default for the Enable role property, applicable to all roles, using the text editor. See Managing role defaults for details.

Role property variables

Privilege Manager roles (or profiles) define who, what, where, when, and how users are permitted to perform various privileged account actions using variable values in the policy configuration file. You set the values for these user-defined variables in global_profile.conf, the default Privilege Manager policy configuration file, using either a GUI editor or a text editor.

The following tables identify the policy variables associated with each GUI editor setting for both Privilege Manager roles and restricted shell roles. The Manage Defaults column indicates which variables you can set as global defaults using the Manage Defaults button on the GUI editor; you must use the text editor to set global defaults for variables marked No. See Managing role defaults for details.

Table 58: General Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
General
    Description Both   pf_profiledescription No
    Enable role Both   pf_enableprofile No
    Trace level Both   pf_tracelevel Yes
    Enable keystroke logging Both   pf_enablekeystrokelogging Yes
    Keystroke log path Both   pf_iologdir Yes
    Disable password logging Both   pf_logpasswords Yes
    Password prompts Both   pf_passprompts Yes
Authentication
    Require authentication Both   pf_enableauthentication Yes
    Authenticate on host running command Both   pf_authenticateonclient Yes
    PAM service Both   pf_pamservice Yes
    Command line prompt Both   pf_pamprompt Yes
    Allow scp / non-interactive SSH Shell   pf_allowscp Yes
Table 59: What Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Commands
    Path on host Role   pf_authpaths Yes
    Commands Role   pf_authcmds Yes
    Allow commands from authorized submit hosts Role   pf_enableremotecmds Yes
Shell Commands
    Accept only commands Shell   pf_shellcommandsaccept No
    Reject commands Shell   pf_shellcommandsreject No
    Authorize shell builtins Shell   pf_checkbuiltins No
    Command rejection message Shell   pf_shellreject No
Pre-authorized Commands
    Commands allowed by shell Shell   pf_shellallow Yes
    Commands allowed only from pipe Shell   pf_shellallowpipe Yes
    Commands rejected by shell Shell   pf_shellforbid Yes
Table 60: Where Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Run Hosts
    Hosts where commands can run Both   pf_authrunhosts No
Submit Hosts
    Hosts where commands can be submitted Role   pf_authsubmithosts No
Forbidden Run Hosts
    Hosts where members are forbidden to run commands Role   pf_forbidrunhosts No
Forbidden Submit Hosts
    Hosts where members are forbidden to submit commands Role   pf_forbidsubmithosts No
Table 61: Who Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Users
    Users authorized to run commands Both   pf_authusers No
    Runas User Both   pf_authuser No
Groups
    Local and Unix-enabled AD groups Both   pf_authgroups No
    Runas Group Both   pf_authgroup No
    User must be member of authorized group Both   pf_useservergroupinfo No
AD Groups
    Non Unix-enabled AD Groups Both   pf_authgroupsad No
    Default AD Domain Both   pf_addomain No
Table 62: When Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Time Restrictions
    Restrict by day, date, time Both   pf_enabletimerestrictions Yes
    By Time Period Both   pf_restrictionhours Yes
    By Date Both   pf_restrictiondates Yes
    By Day of Week Both   pf_restrictiondow Yes
Table 63: How Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Shell Settings
    PM secure shells allowed to run Shell   pf_allowshells Yes
    Run in restricted mode Shell   pf_restricted Yes
    Environment variables that cannot change Shell   pf_shellreadonly Yes
    Shell execution directory Shell   pf_shellcwd Yes
    Shell session PATH Shell   pf_shellpath Yes

Note: You can not manage the following variables using the GUI editor; you must use the text editor:

  • pf_cpolicy -- the path to a customer-specific pmpolicy file included after matching the user to a profile, but before authenticating the user. If configured, add this file to the repository, and identify it using a relative path (relative to the policy directory).
  • pf_realshell -- specifies the actual shell program to run, in the case of pmloginshell. Note: This variable is obsolete in vr 5.6.0 and only provided here only for reference to the obsolete vr 5.5.2 pmloginshell program.
  • pf_forbidsubmithostsad -- Active Directory host groups where members are forbidden to submit commands.
  • pf_authsubmithostsad -- Active Directory host groups where commands can be submitted.
  • pf_forbidrunhostsad -- Active Directory host groups where members are forbidden to run commands.
  • pf_authrunhostsad -- Active Directory host groups where commands can run.

Adding a Privilege Manager role

To create a new Privilege Manager role

  1. From the PM Policy Editor view, click the Add Role button.
  2. From the Select Role Type dialog, choose Privilege Manager Role and click OK.

    The New Role dialog displays and allows you to specify:

    • General Settings
      • General Settings
      • Authentication Settings
      • User Defined Variables
    • What Settings
      • Commands
    • Where Settings
      • Run Hosts Settings
      • Submit Hosts Settings
      • Forbidden Run Hosts Settings
      • Forbidden Submit Hosts Settings
    • Who Settings
      • Users Settings
      • Groups Settings
      • AD Groups Settings
    • When Settings
      • Time Restrictions Settings

    See Overriding role property defaults for more information about specifying role-specific overrides for a specific property.

Documents connexes