Authorize AD groups
To authorize non-Unix-enabled Active Directory groups
- Select the Non-Unix-enabled Active Directory Groups authorized to run commands option and click Edit.
The Edit Entries dialog opens which allows you to add one or more non-Unix-enabled Active Directory group names separated with a comma. For example:
- Do not enter ALL for all Active Directory groups.
- You many not use wild cards.
- You can identify AD groups in the form <domain>/<name>, <domain>\\<name>, or <name>.
- If you do not specify a domain, the console uses the joined domain by default.
For more information about the Edit Entries dialog, click the help link.
- Click OK to save the Active Directory Groups settings.
Specifying time restrictions
To specify time restrictions
- Select the You can restrict by Day, Date, and Time when users can execute commands option to enable time restrictions.
- Select the Restrict execution of commands option to enable time, date, or Day of Week restrictions.
- Select By Time to restrict the execution of commands by range of time.
Time restrictions must be set to valid values. Leave the entry empty to disable the time restrictions.
- Select By Date to restrict the execution of commands by range of dates.
Specify start or end dates using the form: yyyy/mm/dd. Date restrictions must be set to valid values. Leave the entry empty to disable the date restrictions.
- Select By Day of Week to restrict the execution of commands to certain days of the week.
Select the applicable days of the week.
- Click OK to save the Time Restriction settings.
Add a Privilege Manager restricted shell role
To add or modify shell roles
- From the PM Policy Editor view, click the Add Role button.
- From the Select Role Type dialog, choose Privilege Manager Restricted Shell Role and click OK.
The New Role dialog displays and allows you to specify:
- General Settings
- General Settings
- Authentication Settings
- User Defined Variables
- What Settings
- Shell Commands
- Pre-authorized Commands
- Where Settings
- Who Settings
- Users Settings
- Groups Settings
- AD Groups Settings
- When Settings
- Time Restrictions Settings
- How Settings
See Overriding role property defaults for more information about specifying role-specific overrides for a specific property.
Specifying general restricted shell settings
Provide general information about the Privilege Manager restricted shell role.
To specify general shell roll settings
- Under Name and Description:
- Type in the name for the new role in quotes.
Note: This name becomes the file name for the role and displays in diagnostic messages.
- Select the override check box and type in a Description of the role in quotes.
- Select the override check box and select the Enable role option.
- Select the override check box and select a debug Trace level from the drop-down menu:
1: Show reason for reject
2: Verbose output
3: Show debug trace
- Under Keystroke Logging, provide the following:
- Select the override check box and select the Enable keystroke logging option.
- Select the Keystroke log path on the policy server option and type in a path to the I/O logs, in quotes
This configures a directory in which to store the I/O logs. For each session a keystroke log is generated, it creates a unique file in this directory in the form:
where XXXXXX is a generated unique ID.
- Select the Disable password logging option.
When set, the console attempts to avoid writing passwords to the keystroke log.
- Select the Password prompts for password detection option and type in a password prompt in quotes.
Note: Separate multiple prompts with commas.
- Click OK to save the General shell role settings.