One Identity Privilege Manager for Unix uses policy files to define the rules governing which users are able to run which commands as root. The policy files are defined using syntax defined by Privilege Manager for Unix. When the policy files are applied on the Unix host, the Group Policy agent validates the new set of policy rules to ensure that there are no syntax or logical errors in the rules. If the policy rules do not validate, the Group Policy agent logs an error and does not apply the policy files. This ensures that an oversight or other error does not break the security infrastructure already in place.
BEST PRACTICE: As a best practice, always test your policy configuration prior to applying it by means of Group Policy.
If you add a file named pm.conf, this file overrides the default root policy file. The Group Policy agent updates the list of files included from the root policy file to included all of the configured files. If the validation step fails after updating the included files, the policy is not applied.
For more information about the syntax of Privilege Manager for Unix policy files, refer to the documentation included with One Identity Privilege Manager for Unix.
To configure Privilege Manager policy files
- In the Group Policy Object Editor, navigate to Unix Settings | Quest Privilege Manager.
- Double-click Privilege Manager Policy Files.
The Privilege Manager Policy Files Properties dialog opens.
- Click Add to browse for a Privilege Manager policy file. You can browse the local host or a remote host running SSH.
- Once you have added all of the policy files, you can reorder them using the Up and Down buttons.
- You can edit the contents of the policy file directly by either double-clicking the item in the list or clicking Edit File.
Privilege Manager policy files are evaluated when group policy is applied. If a Privilege Manager policy file contains errors it is not applied.
- Click OK to save settings and close the Privilege Manager Policy Files Properties dialog.
The Privilege Manager Configuration policy manages the pm.settings file, which contains configuration options for One Identity Privilege Manager for Unix. The Group Policy agent applies the configuration to the pm.settings file.
Since the Group Policy agent is based on Active Directory and Kerberos, setting the Kerberos setting to "yes" causes the Group Policy agent to fully configure all other Kerberos settings automatically. For this reason, the additional Kerberos-related settings are not displayed in the Settings dialog.
For more information about the Privilege Manager configuration settings, refer to the documentation included with One Identity Privilege Manager for Unix.
To configure Privilege Manager configuration settings
- In the Group Policy Object Editor, navigate to Unix Settings | Quest Privilege Manager.
- Double-click Privilege Manager Configuration.
The Privilege Manager Configuration Properties dialog opens.
- Locate the setting you want to configure.
Browse the list or type the setting name (or part of the name) in the search box and click Search.
- Enter the desired value for the setting.
It displays additional information related to the setting in a help box at the bottom of the dialog. The help box is re-sizable using the splitter bar between the settings list and the help text.
- Click OK to save the settings and close the dialog.