One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Console Roles and Permissions system settings

What a user sees in the mangement console is based on the rules that pertain to the console role the user is assigned. A user can only access and perform tasks specified for his roles. The default supervisor account is a member of all roles, however, that account is blocked from performing Active Directory tasks because the supervisor does not have Active Directory credentials.

Note: While all console roles, except supervisor, have permission to view the Active Directory tab, to perform certain Active Directory tasks, such as Unix-enabling an Active Directory user or group, the AD user assigned to the role must have the appropriate rights in Active Directory.

To access and perform tasks within the mangement console, assign users to one or more of the following console roles:

Note: All roles run reports. See Reports for more information about the reports that are available for each role.

Table 82: Console roles and permissions
Role Description Default Permissions Available UI
Manage Hosts Members can add, view, and manage hosts, as well as run reports.
  • View hosts
  • Manage hosts
  • Hosts tab
  • All Local Users tab
  • Active Directory tab
  • Reporting tab
Manage Sudo Policy Members can view and edit the sudoers policy file, run reports, and access a read-only view of all hosts.
  • View hosts
  • Edit Sudoers Policy
  • Hosts tab (view hosts only)
  • Policy | Sudo Policy Editor view
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Audit Sudo Policy Members can audit sudo policy through reports, replay keystroke logs, and access a read-only view of all hosts.
  • View hosts (read-only)
  • View and replay keystroke logs
  • Hosts tab (view hosts only)
  • Policy | PM Policy Editor view
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Console Administration Members can modify console System Settings and access a read-only view of all hosts.
  • View hosts (read-only)
  • Manage console System Settings
  • Hosts tab (view hosts only)
  • Active Directory tab
  • Settings | System settings view
    • General settings
    • Console Information settings
    • Privilege Manager settings
    • Active Directory settings
    • Licenses settings
Manage Console Access Members can add and remove members of console roles, run reports, and access a read-only view of all hosts.
  • View hosts (read-only)
  • Set console permissions (Roles and Permissions)
  • Hosts tab (view hosts only)
  • Active Directory tab
  • Reports tab to access only the Console Access and Permissions report
  • Settings | System settings view
    • Console Roles and Permissions settings
Manage PM Policy Members can view and edit the Privilege Manager policy, run reports, and access a read-only view of all hosts.
  • View hosts
  • Edit PM Policy
  • Hosts tab (view hosts only)
  • Policy | Edit Policy view
  • Policy | Event Logs view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Audit PM Policy Members can audit Privilege Manager policy through reports, replay keystroke logs, and access a read-only view of all hosts.
  • View hosts (read-only)
  • View and replay keystroke logs
  • Hosts tab (view hosts only)
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Reporting Members can run and view all reports and access a read-only view of all hosts.

  • View hosts (read-only)
  • View and produce any report

  • Hosts tab (view hosts only)
  • Active Directory tab
  • Reports tab to access reports

Note: Management Console for Unix does not allow you to add domain-local Active Directory groups to roles; you can only add security-enabled global and universal groups.

Adding (or Removing) role members

Note: This task requires that you are logged in as the supervisor or an Active Directory account with rights to add or remove members of console roles; that is, an account in the Manage Console Access role.

To add additional Active Directory members or groups to a role

  1. From the top-level Settings menu, navigate to System settings | Console Roles and Permissions.
  2. Select a role and click Members

    Note: If you are logged in as supervisor, the mangement console requires that you authenticate to Active Directory in order to select Active Directory users or groups to add members to a role.

  3. On the Role Members dialog, click Add.
  4. On the Select AD Object dialog, use the search controls to find and select Active Directory users or groups.
  5. Select one or more objects from the list and click OK.

    The mangement console adds the selected objects to the list.

  6. Click OK to save your selections.
  7. Click OK on the Console Roles and Permissions dialog to close System Settings and return to the mangement console.

Reviewing the Console Access and Privileges report

The Console Access and Permissions report lists users who have access to the mangement console based on membership in a role and the permissions assigned to the role.

To create the Console Access & Privileges report

  1. From the mangement console, navigate to Reporting.
  2. From the Reports view, double-click the Console Access and Permissions report name.

    The report opens a new Console Access and Permissions tab on the Reports view.

  3. Open the Export drop-down menu and select the format you want to use for the report: PDF or CSV.

    Note: If you are logged in as supervisor, the mangement console requires that you authenticate to Active Directory in order to view the settings for Active Directory.

    It launches a new browser or application page and displays the report in the selected format.

    Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. See JVM memory tuning suggestions for details.

Active Directory system settings

Use the Active Directory settings to configure the console for Active Directory, specify which sites, domains, domain controllers, and global catalogs the mangement console may access, and to define the default domain you want the console to use when authenticating a user account.

Note: If you are logged in as supervisor, the mangement console requires that you authenticate to Active Directory in order to view the settings for Active Directory.

Documents connexes