One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Authorize AD groups

To authorize non-Unix-enabled Active Directory groups

  1. Select the Non-Unix-enabled Active Directory Groups authorized to run commands option and click Edit.

    The Edit Entries dialog opens which allows you to add one or more non-Unix-enabled Active Directory group names separated with a comma. For example:

    group1, WEBGROUPS

    Notes:

    • Do not enter ALL for all Active Directory groups.
    • You many not use wild cards.
    • You can identify AD groups in the form <domain>/<name>, <domain>\\<name>, or <name>.
    • If you do not specify a domain, the console uses the joined domain by default.

    For more information about the Edit Entries dialog, click the help link.

  2. Click OK to save the Active Directory Groups settings.

Specifying time restrictions

To specify time restrictions

  1. Select the You can restrict by Day, Date, and Time when users can execute commands option to enable time restrictions.
  2. Select the Restrict execution of commands option to enable time, date, or Day of Week restrictions.
  3. Select By Time to restrict the execution of commands by range of time.

    Time restrictions must be set to valid values. Leave the entry empty to disable the time restrictions.

  4. Select By Date to restrict the execution of commands by range of dates.

    Specify start or end dates using the form: yyyy/mm/dd. Date restrictions must be set to valid values. Leave the entry empty to disable the date restrictions.

  5. Select By Day of Week to restrict the execution of commands to certain days of the week.

    Select the applicable days of the week.

  6. Click OK to save the Time Restriction settings.

Add a Privilege Manager restricted shell role

To add or modify shell roles

  1. From the PM Policy Editor view, click the Add Role button.
  2. From the Select Role Type dialog, choose Privilege Manager Restricted Shell Role and click OK.

    The New Role dialog displays and allows you to specify:

    • General Settings
      • General Settings
      • Authentication Settings
      • User Defined Variables
    • What Settings
      • Shell Commands
      • Pre-authorized Commands
    • Where Settings
      • Run Hosts Settings
    • Who Settings
      • Users Settings
      • Groups Settings
      • AD Groups Settings
    • When Settings
      • Time Restrictions Settings
    • How Settings
      • Shell Settings

    See Overriding role property defaults for more information about specifying role-specific overrides for a specific property.

Specifying general restricted shell settings

Provide general information about the Privilege Manager restricted shell role.

To specify general shell roll settings

  1. Under Name and Description:
    1. Type in the name for the new role in quotes.

      Note: This name becomes the file name for the role and displays in diagnostic messages.

    2. Select the override check box and type in a Description of the role in quotes.
    3. Select the override check box and select the Enable role option.
    4. Select the override check box and select a debug Trace level from the drop-down menu:
         1: Show reason for reject
         2: Verbose output
         3: Show debug trace
  2. Under Keystroke Logging, provide the following:
    1. Select the override check box and select the Enable keystroke logging option.
    2. Select the Keystroke log path on the policy server option and type in a path to the I/O logs, in quotes

      This configures a directory in which to store the I/O logs. For each session a keystroke log is generated, it creates a unique file in this directory in the form:

      <ProfileName>/<User>/<RunCommand>_YYYYMMDD_HHMM_XXXXXX

      where XXXXXX is a generated unique ID.

    3. Select the Disable password logging option.

      When set, the console attempts to avoid writing passwords to the keystroke log.

    4. Select the Password prompts for password detection option and type in a password prompt in quotes.

      Note: Separate multiple prompts with commas.

  3. Click OK to save the General shell role settings.
Documents connexes