Safeguard Authentication Services Application Configuration: creation |
Location in Active Directory with Create Container Object rights |
N/A |
Safeguard Authentication Services Application Configuration: changes
- Unix Global Settings
- Licensing
- Schema Attributes, including Unix Attributes
|
Update permission to the containers created above (no particular permissions if you are the one who created it) |
N/A |
Schema optimization |
Schema Administrator rights |
N/A |
Display Specifier Registration |
Enterprise Administrator rights |
N/A |
Editing Users |
Administrator rights |
N/A |
Create any group policy objects |
Group Policy Creator Owners rights |
N/A |
RFC 2307 NIS Import Map Wizard |
Location in Active Directory with Create Container Object rights (you create containers for each NIS map) |
N/A |
Unix Account Import Wizard |
Administrator rights (you are creating new accounts) |
N/A |
Logging Options |
Write permissions to the file system folder where you want to create the logs |
N/A |
vasd daemon |
The client computer object is expected to have read access to user and group attributes, which is the default.
In order for Safeguard Authentication Services to update the host object operating system attributes automatically, set the following rights for "SELF" on the client computer object: Write Operating System, Write operatingSystemHotfix, and Write operatingSystemServicePack. |
vasd must run as root |
QAS/VAS PAM module |
N/A (updated by means of vasd) |
Any local user |
QAS/VAS NSS module
vastool nss |
N/A (updated by means of vasd) |
Any local user |
vastool command-line tool |
Depends on which vastool command is run |
Any local user for most commands |
vastool join
vastool unjoin |
Computer creation or deletion permissions in the desired container |
root |
vastool configure
vastool unconfigure |
N/A |
root |
vastool search
vastool attrs |
Read permission for the desired objects (regular Active Directory user) |
Any local user |
vastool setattrs |
Write permissions for the desired object |
Any local user |
vastool cache |
N/A |
Run as root if you want all tables including authcache |
vastool create |
Permissions to create new users, groups, and computers as specified |
Any local user; root needed to create a new local computer |
vastool delete |
Permissions to delete existing users, groups, or computers as specified; permissions to remove the keytab entry for the host object created (root or write permissions in the directory and the file) |
Any local user |
vastool flush |
The client computer object is expected to have read access to user and group attributes, which should be the default |
root |
vastool group add
vastool group del |
Permission to modify group membership |
Any local user |
vastool group hasmember |
Read permission for the desired objects (regular Active Directory user) |
Any local user |
vastool info { site | domain | domain -n | forest-root | forest-root -dn | server | acl } |
N/A |
Any local user |
vastool info { id | domains | domains -dn | adsecurity | toconf } |
Read permission for the desired objects (regular Active Directory user) |
Any local user |
vastool isvas
vastool inspect
vastool license |
N/A |
Any local user |
vastool kinit
vastool klist
vastool kdestroy |
Local client needs permissions to modify the keytab specified; default is the computer object, which is root. |
Any local user |
vastool ktutil |
N/A |
root if you are using the default host.keytab file |
vastool list (with -l option) |
Read permission for the desired objects (regular Active Directory user) |
Any local user |
vastool load |
Permissions to create users and groups in the desired container |
Any local user |
vastool merge
vastool unmerge |
N/A |
root |
vastool passwd |
Regular Active Directory user |
Any local user |
vastool passwd <AD user> |
Active Directory user with password reset permission |
Any local user |
vastool schema list
vastool schema detect |
Regular Active Directory user |
Any local user |
vastool schema cache |
Regular Active Directory user |
root (to modify the local cache file) |
vastool service list |
Regular Active Directory user |
Any local user |
vastool service { create | delete } |
Active Directory user with permission to create/delete service principals in desired container |
N/A |
vastool smartcard |
N/A |
root |
vastool status |
N/A |
root |
vastool timesync |
N/A |
root, if you only query the time from AD, you can run as any local user |
vastool user { enable | disable } |
Modify permissions on the AD Object |
Any local user |
vastool user { checkaccess | checkconflict } |
N/A |
Any local user |
vastool user checklogin |
Access to Active Directory users password |
Any local user |
vasgmsaupdate service |
On the Windows Domain Controller, the host machine must be set to be able to access gMSA user |
Service must be started as root |