Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Edit Entries dialog

The Edit Entries dialog displays when you attempt to add, change, or delete properties in the What (commands), Where (hosts), and Who (users and groups) role parameters for both the Privilege Manager roles and restricted shell roles.

From the Edit Entries dialog, add one or more entries to the selection list box and click OK to add them to the Privilege Manager role property.

Table 64: Edit Entries dialog
Option Description
Add entries Place your cursor in the text box and enter the following:
  • To add commands, enter commands permitted by this role in the text box.
  • To add hosts, enter the FQDN, IP address, or short name the FQDN, IP address or short name of the host you want to add.
  • To add users, enter authorized user names.
  • To add groups, enter authorized group names.

Separate multiple entries with commas.

NOTE: You can copy and paste a comma-delimited list into the text box and it will automatically add the list of data objects with quotes around each individual entry.

Press the Enter key or click the Add button to add the entry to the selection list box.

Selection list This list box contains the entries that are to be added to the Privilege Manager role property.
Import

Select the Import button to import entries from a .txt file. When you click Import, the Import entries from a file dialog opens to allow you to browse to select the file to use for the import.

The import file must contain only one entry per line. For example, an import hosts file must contain one IP address or DNS name per line.

See Known_hosts file format for details about the supported file formats.

Delete Select a host from the selection list and click Delete to remove the selected host from the list.
Select

The options on the Select button vary depending on whether you are adding commands, hosts, users, or groups.

  • Select Variable

    Available for all properties and opens the Select Variables dialog from which you can search for and choose one or more variables to add to the selection list box.

  • Select Host

    Available for the Where properties and opens the Select Host dialog from which you can search for and choose one or more hosts to add to the selection list box.

  • Select Local User

    Available for the Who properties and opens the Select Local User dialog from which you can search for and choose one or more local users to add to the selection list box.

  • Select AD User

    Available for the Who properties and opens the Select AD User dialog from which you can search for and choose one or more Active Directory users to add to the selection list box.

  • Select Local Group

    Available for the Who properties and opens the Select Local Group dialog from which you can search for and choose one or more local groups to add to the selection list box.

  • Select AD Group

    Available for the Who properties and opens the Select AD Group dialog from which you can search for and choose one or more Active Directory groups to add to the selection list box.

For more information about editing the properties in the What (commands), Where (hosts), and Who (users and groups) role parameters for both the Privilege Manager roles and restricted shell roles, refer to the following topics:

Privilege Manager Role Properties

Restricted Shell Role Properties

Specifying general role settings

Provide general information about the Privilege Manager role.

To specify general Privilege Manager role settings

  1. Under Name and Description:
    1. Type in the name for the new role.

      Note: This name becomes the file name for the role and displays in diagnostic messages.

    2. Select the override check box and type in a Description of the role.
    3. Select the override check box and select the Enable role option.
    4. Select the override check box and select a debug Trace level from the drop-down menu:
         1: Show reason for reject
         2: Verbose output
         3: Show debug trace
  2. Under Keystroke Logging, provide the following:
    1. Select the override check box and select the Enable keystroke logging option to explicitly add this property to the role.

      Deselect the property to explicitly disable keystroke logging for this role.

    2. Select the override check box and type in a path, in quotes, to the I/O logs in the Keystroke log path on the policy server text box.

      This configures a directory in which to store the I/O logs. For each session a keystroke log is generated, it creates a unique file in this directory in the form:

      <ProfileName>/<User>/<RunCommand>_YYYYMMDD_HHMM_XXXXXX

      where XXXXXX is a generated unique ID.

    3. Select the override check box and select the Disable password logging option to explicitly add this property to the role.

      When set, the console attempts to avoid writing passwords to the keystroke log.

    4. Select the override check box and type in a password prompt, in quotes, in the Password prompts for password detection text box.

      Note: Separate multiple prompts with commas.

  3. Click OK to save the General role settings.

Specifying authentication settings

To specify authentication settings

  1. Select the Users can be required to authenticate to a PAM service when they run any commands in the role for an added level of security option.

    By default, the console authenticates the submit user on the master host using the sshd service.

  2. Select the Require users to enter their password when running commands option to force the user to authenticate to run all commands.
  3. Select the Authenticate the user on the host where they run the commands option to authenticate users on the client host, rather than on the primary server.
  4. Select the PAM service to use when authentication to PAM is required option and type in PAM service in quotes in the text box.
  5. Select the Command line prompt when authentication is required option and type in the prompt to use with PAM in quotes in the text box.
  6. Click OK to save the Authentication settings.

Viewing user-defined variables

The User Defined Variables option allows you to view user-defined variable settings.

Note: To modify these variables, you must use the text editor. See Modifying PM policy files with the text editor for details.

To view user-defined variable settings

  1. Under General, click the User Defined Variables link.

    The User Defined Variables window lists variables and their values.

  2. Click Cancel to close the GUI editor.
Related Documents