Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Specifying time restrictions

To specify time restrictions

  1. Select the You can restrict by Day, Date, and Time when users can execute commands option to enable time restrictions.
  2. Select the Restrict execution of commands option to enable time, date, or Day of Week restrictions.
  3. Select By Time to restrict the execution of commands by range of time.

    Time restrictions must be set to valid values. Leave the entry empty to disable the time restrictions.

  4. Select By Date to restrict the execution of commands by range of dates.

    Specify start or end dates using the form: yyyy/mm/dd. Date restrictions must be set to valid values. Leave the entry empty to disable the date restrictions.

  5. Select By Day of Week to restrict the execution of commands to certain days of the week.

    Select the applicable days of the week.

  6. Click OK to save the Time Restriction settings.

Specifying shell settings

To specify shell settings

  1. Select the Privilege Manager secure shells members are allowed to run on hosts option and select the applicable Privilege Manager for Unix shells: pmksh, pmsh, pmcsh, and pmshellwrapper.

    Note: pmshellwrapper does not support any of the following variables.

  2. Select the Run allowed Privilege Manager secure shells in restricted mode option.

    Note: When running shells in restricted mode, the user:

    • cannot change directory
    • cannot change PATH, ENV, or SHELL
    • can only run programs in PATH
    • cannot use absolute or relative paths
    • cannot use I/O redirection with the > or < characters.

    This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  3. Select the Environment variables the user cannot change in the shell option and enter the environment variables in the text box.

    Note:

    • Separate multiple variables with commas, as in:
      "PATH", "TERM", ENV_VARIABLES
    • In restricted mode, the following variables are always read-only: PATH, ENV, and SHELL.
    • This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  4. Select the Shell execution directory option, and enter the directory from which you will execute the shell program in the text box.

    Separate multiple paths with commas, as in:

    "/bin","var/opt/quest"
  5. Select the Shell session PATH option and enter the shell session paths in the text box.

    Separate multiple paths with commas, as in:

    "/usr/bin","/bin","."

    By default the console sets the standard paths, adds the run user's home directory, and the current directory. This is particularly relevant for shells running in restricted mode where the user cannot change the PATH and can only run commands relative to the configured PATH.

    Note: This setting only applies to the pmksh, pmcsh, and pmsh shell programs.

  6. Click OK to save the Shell Settings.

Adding Privilege Manager role based on an existing role

To add a new role based on an existing role

  1. From the PM Policy Editor view, click the Add Role button.

  2. From the Select Role Type dialog, choose Use an existing role as a template for the new role.

  3. Select an existing role to use as the template and click OK.

    Refer to Default roles (or profiles) for a description of the roles provided by Privilege Manager for Unix.

Saving policy files

To save a policy file

  1. Click Save to save the policy.

    You can also click the (close) icon in the upper-right of the policy panel to close the policy. If you have made changes, you are prompted to save them.

    The policy is saved as a new version; not as the version number that you opened.

    Note: If the file contains unresolved syntax errors when you click Save, the editor gives you an option to Save with Errors. One Identity recommends that you correct errors before saving to ensure that the policy server does not reject all commands.

    The Errors pane is located across the bottom of the Edit Policy view and provides feedback on any errors encountered when you click the Error Check button. While in the text editor, error checking only checks for syntax errors; when in the GUI editor, error checking also checks that the policy is correctly configured to use profile-based (or role based) policy. Double-clicking an error message takes you to the line in question.

  2. Enter a comment describing the changes and click OK to save the latest revision of the policy.

    The new version of the policy becomes the latest version in use by Privilege Manager.

Related Documents