Description
Type string READONLY
user containts the submit user's login name.
Example
If ( (user == "matt") && (command == "passwd") ) 
{ 
   printf("matt is not allowed to alter passwords"); 
   reject; 
}Type string READONLY
user containts the submit user's login name.
If ( (user == "matt") && (command == "passwd") ) 
{ 
   printf("matt is not allowed to alter passwords"); 
   reject; 
}Type integer READONLY
year contains the year in which the request was submitted in the format YY.
if ( (year == "08") || (year == "12") ) 
{ 
   if ( (month == "01") && (day == "29") ) 
   { 
      printf("This year is a leap year, something has gone wrong"); 
      reject; 
   } 
}The following predefined global variables are initialized from the submit user's environment.
| Variable | Data Type | Description | 
|---|---|---|
| string | Action to be taken when alertkeysequence is matched. | |
| list | List of patterns to match in a session. | |
| integer | Specifies whether to prevent the runcommand process from executing new processes. | |
| string | Pathname of the audit log. | |
| string | Host name list for remote event logging. | |
| string | Message to display if runcommand cannot run. | |
| string | Pathname of the keystroke log. | |
| integer | Specifies whether to encrypt the keystroke log. | |
| integer | Max bytes to log for a stderr message. | |
| integer | Max chars to log for a stdout message. | |
| string | Host name list for remote keystroke logging. | |
| integer | Specifies whether to exclude passwords from the keystroke log. | |
| list | Variables to omit from the audit and keystroke logs. | |
| integer | Specifies whether to keystroke log stderr messages. | |
| integer | Specifies whether to keystroke log stdin messages. | |
| integer | Specifies whether to keystroke log stdout messages. | |
| string | Message to display if the runcommand is not found on the run host. | |
| list | Detects presence of password prompts. | |
| list | Commands to allow in a Privilege Manager for Unix shell without further authorization. | |
| list | Commands to allow in a Privilege Manager for Unix shell without further authorization if input is from a pipe. | |
| integer | Specifies whether to authorize shell built-in commands in a Privilege Manager for Unix shell. | |
| list | Commands to forbid in a Privilege Manager for Unix shell without further authorization. | |
| list | Variables to mark as read-only in a Privilege Manager for Unix shell. | |
| string | Reject message to display when a forbidden command runs in a Privilege Manager for Unix shell. | |
| integer | Specifies whether to run a Privilege Manager for Unix shell in restricted mode. | |
| integer | Specifies whether to use the originating login host name in preference to the submit host. | |
| list | A list of values specified by the keepenv() call. | |
| list | A list of values specified by the setenv() call. | |
| list | A list of values specified by the unsetenv() call. | |
| string | Specifies whether to use the runuser’s environment rather than the submit user’s environment | |
| string | Message to display when a session is rejected. | |
| list | List of arguments for the request. | |
| boolean | The run version of bkgd. When set to True, lets the user stop the pmrun call and move it to the background. | |
| string | Requests the command to run with a specified root directory. | |
| string | Identifies a checksum to use to verify against the runcommand. | |
| string | A modifiable copy of the clienhost input variable. | |
| string | Full pathname of the request. | |
| string | Specifies whether the agent should request the runuser to authenticate before executing the runcommand. | |
| string | Working directory to set for the request. | |
| boolean | Lets you use runrlimit variables on the run host. | |
| list | List of environment variables to set for the request. | |
| string | Primary group to set for the request. | |
| list | List of secondary groups to set for the request. | |
| string | Host on which to run the request. | |
| integer | Nice value to apply for the request. | |
| list | A list of permitted paths for commands. | |
| string | Pty flags to apply for the request. | |
| string | Controls the maximum memory that is available to a process. | |
| string | Controls the maximum size of a core file. | |
| string | Controls the maximum size CPU time of a process. | |
| string | Controls the maximum size of data segment of a process. | |
| string | Controls the maximum size of a file. | |
| string | Control the maximum number of file locks for a process. | |
| string | Controls the maximum number of bytes of virtual memory that can be locked. | |
| string | Controls the maximum number of files a user may have open at a given time. | |
| string | Controls the maximum number of processes a user may run at a given time. | |
| string | Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process. | |
| string | Controls the maximum size of the process stack. | |
| integer | Specifies the number of seconds of idle time before ending the session. | |
| integer | Umask value to apply for the request. | |
| string | User to run the request. | |
| string | Utmp user to use when logging to utmp. | |
| string | User name to run subprocesses of the policy server master daemon. | |
| string | Directory used for temporary storage of I/O log files if a remote log host is specified in iologhost. | 
Type string READ/WRITE
alertkeyaction contains the action to be taken if a command matches a pattern configured in alertkeysequence. The alertkeyaction can be defined as "reject", "log" or any custom string. The default value is "log".
switch (user) { 
   case "root" : alertkeyaction = "ignore"; break; 
   default : alertkeyaction = "log"; break; 
}© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center