Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Privilege Manager for Unix licensing

Privilege Manager for Unix 7.1 licensing options include:

30-day evaluation licenses

Privilege Manager for Unix evaluation license allows you to manage unlimited PM Agent hosts for 30 days.

Commercial licenses

A PM Policy license is required for Privilege Manager for Unix features.

Although licenses are allocated on a per-agent basis, you install the licenses on Privilege Manager for Unix policy servers.

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. See Installing licenses or Displaying license usage for more examples of using the pmlicense command.

Deployment scenarios

You can deploy Privilege Manager for Unix software within any organization using UNIX and/or Linux systems. Privilege Manager for Unix offers a scalable solution to meet the needs of the small business through to the extensive demands of the large or global organization.

There is no right or wrong way to deploy Privilege Manager for Unix, and an understanding of the flexibility and scope of the product will aid you in determining the most appropriate solution for your particular requirements. This section describes the following sample implementations:

  • a single host installation
  • a medium-sized business installation
  • a large business installation
  • an enterprise installation

Configuration options

Decide which of the following configurations you want to set up:

  1. Primary Server Configuration: Configure a single host as the primary policy server hosting the security policy for the policy group using either the pmpolicy (Privilege Manager for Unix) or sudo (Safeguard for Sudo) policy type. See Security policy types for more information about these policy types.

    If you are configuring the primary policy server using the sudo policy type, see the One Identity Privilege Manager for Sudo Administration Guide.

  2. Secondary Server Configuration: Configure a secondary policy server in the policy server group to obtain a copy of the security policy from the primary policy server.
  3. PM Agent Configuration: Join a Privilege Manager for Unix Agent host to a pmpolicy server group.

    Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

Single host deployment

A single-host installation is typically appropriate for evaluations, proof of concept, and demonstrations of Privilege Manager for Unix. This configuration example installs all of the components on a single UNIX/Linux host, with protection offered only within this single host. All logging and auditing takes place on this host.

Medium business deployment

The medium business model is suitable for small organizations with relatively few hosts to protect, all of which may be located within a single data center.

This configuration example comprises multiple UNIX/Linux hosts located within the SME space and one or more web servers located in a DMZ.

The tunneling feature (pmtunneld), enables Privilege Manager for Unix to control privileged commands on the web servers across a firewall, within the DMZ. This configuration significantly reduces the number of open ports at the firewall.

Multiple policy server components (pmmasterd) are installed in a failover configuration, with groups of agents balanced between the policy servers. If a policy server is unavailable for any reason, the agents will failover to the alternative policy server.

Figure 4: Medium business implementation: Minimum 2 Masters and Circa 100 Agents

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating