One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Deleting Privilege Manager role

To delete Privilege Manager role

  1. From the PM Policy Editor view, select a role and click Delete Role.

  2. From the Delete Role dialog, click Delete.

  3. Confirm the delete.

Note: Deleting a role from the policy may prevent users from running commands or completing tasks that are allowed by this role.

Changing policy version

To change the policy version

  1. From the PM Policy Editor view, click the Change Version button.

    The Change Version dialog displays.

  2. Select a version of the policy to open.
  3. Enter a change commit message and click OK.
  4. Confirm your desire to replace the existing policy currently in use by Privilege Manager for Unix.

    The policy file is saved as a new version and becomes the currently active policy.

Reviewing policy changes

The Policy Changes report provides the details of changes made to the policy.

To create the Policy Changes report

  1. From the PM Policy Editor view, click the Policy Change Report button.

    You can also navigate to this report from the Reporting tab on the mangement console.

    The report opens a new Policy Changes tab on the Reporting view.

  2. Select a policy group from the drop-down menu.
  3. Choose one of these options:
    1. Show all changes to the policy.
    2. Show only changes for a specific pmpolicy file (not available for sudo-based policy).
    3. Show only changes for a particular version of it.
  4. Open the Export drop-down menu and select the format you want to use for the report: PDF or CSV.

    It launches a new browser or application page and displays the report in the selected format.

Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. See JVM memory tuning suggestions for details.

Managing role defaults

You can set global policy defaults for Privilege Manager roles and restricted shell roles. When you set a global default for a property, it applies to all roles unless you have set a specific property in an individual role to override the global policy default. See Overriding role property defaults for more information about specifying role-specific overrides for a specific property.

To manage role defaults

  1. From the PM Policy Editor view, click Manage Defaults.

    The Role Defaults dialog displays allowing you to specify the following settings:

    • Role General Settings
      • General Settings
      • Authentication Settings
      • User Defined Variables
    • Role What Settings
      • Pre-authorized Commands
    • Role When Settings
      • Time Restrictions Settings
    • Role How Settings
      • Shell Settings

    Note: Not all variables can be set as global defaults using the Manage Defaults button on the GUI editor; however, you can set any variable as a global default using the text editor. See Role property variables for a list of variables.

  2. For example, to set a global default for the Enable role property you must use the text editor.
    1. From the PM Policy Editor view, click the Text Editor button in the top-right corner.
    2. Double-click the global_profile.conf configuration policy name or right-click and choose Open as text.
    3. Add the following line to the global_profile.conf file:
      pf_enableprofile = true;
    4. Click Save, enter a commit description, and click OK.
Related Documents