Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Change Supervisor Account Password

You can change your supervisor account password in System settings when you are logged in as supervisor.

To change supervisor account password

  1. Log onto the mangement console using the supervisor account.

  2. From the top-level Settings menu, navigate to System settings | General | Change Password.

  3. Enter your current supervisor account password and the new password.

  4. Click OK to save your changes and close System Settings.

Note: If you have forgotten the current supervisor account see Reset the Supervisor Password for more information on resetting your supervisor password.

Set Custom Privilege Elevation Commands

You can specify up to three custom privilege elevation commands to use when performing tasks on hosts that require elevated privileges.

To set custom privilege elevation commands

  1. From the top-level Settings menu, navigate to System Settings | General | Custom Privilege Elevation.

  2. In the Custom Elevation box, enter the elevation command and any optional parameters required by the command. For example:

    /opt/quest/bin/pmrun

    Note: Enter the full path to the command if the command is not in the system's path.

  3. Optionally, select the Use single quotes for command arguments option if the command requires arguments in quotes.

    For example, the sudo command does not require arguments in quotes, like this:

    # sudo echo bob

    Whereas the su command does require arguments in quotes, like this:

    # su root -c "echo bob"
  4. To specify another user instead of root when performing tasks on hosts that require elevated privileges, replace root with "%s" as in:

    # su %s -c "echo bob"

    Enter "%s" to specify a user name other than root to use elevated credentials. In the Log On To Host dialog, when you select the Use elevated credentials option, you can replace root with another account in the User name field.

  5. Optionally, click Test to validate that the command works.

    On the Test Privileged Elevation Command dialog,

    1. Enter or select a host where the command exists.

    2. Enter user credentials and click Test.

      A message displays to explain whether the test was successful or not.

  6. Click OK to save the changes.

When a test for a command completes successfully, it becomes available on the Log On To Host dialog. (Search for Log On To Host in the online help for details.)

Console Roles and Permissions System Settings

What a user sees in the mangement console is based on the rules that pertain to the console role the user is assigned. A user can only access and perform tasks specified for his role(s). The default supervisor account is a member of all roles, however, that account is blocked from performing Active Directory tasks because the supervisor does not have Active Directory credentials.

Note: While all console roles, except supervisor, have permission to view the Active Directory tab, to perform certain Active Directory tasks, such as Unix-enabling an Active Directory user or group, the AD user assigned to the role must have the appropriate rights in Active Directory.

To access and perform tasks within the mangement console, assign users to one or more of the following console roles:

Note: All roles run reports. See Reports for more information about the reports that are available for each role.

Table 17: Console roles and permissions
Role Description Default Permissions Available UI
Manage Hosts Members can add, view, and manage hosts, as well as run reports.
  • View hosts
  • Manage hosts
  • Hosts tab
  • All Local Users tab
  • Active Directory tab
  • Reporting tab
Manage Sudo Policy Members can view and edit the sudoers policy file, run reports, and access a read-only view of all hosts.
  • View hosts
  • Edit Sudoers Policy
  • Hosts tab (view hosts only)
  • Policy | Sudo Policy Editor view
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Audit Sudo Policy Members can audit sudo policy through reports, replay keystroke logs, and access a read-only view of all hosts.
  • View hosts (read-only)
  • View and replay keystroke logs
  • Hosts tab (view hosts only)
  • Policy | PM Policy Editor view
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Console Administration Members can modify console System Settings and access a read-only view of all hosts.
  • View hosts (read-only)
  • Manage console System Settings
  • Hosts tab (view hosts only)
  • Active Directory tab
  • Settings | System settings view
    • General settings
    • Console Information settings
    • Privilege Manager settings
    • Active Directory settings
    • Licenses settings
Manage Console Access Members can add and remove members of console roles, run reports, and access a read-only view of all hosts.
  • View hosts (read-only)
  • Set console permissions (Roles and Permissions)
  • Hosts tab (view hosts only)
  • Active Directory tab
  • Reports tab to access only the Console Access and Permissions report
  • Settings | System settings view
    • Console Roles and Permissions settings
Manage PM Policy Members can view and edit the Privilege Manager policy, run reports, and access a read-only view of all hosts.
  • View hosts
  • Edit PM Policy
  • Hosts tab (view hosts only)
  • Policy | Edit Policy view
  • Policy | Event Logs view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Audit PM Policy Members can audit Privilege Manager policy through reports, replay keystroke logs, and access a read-only view of all hosts.
  • View hosts (read-only)
  • View and replay keystroke logs
  • Hosts tab (view hosts only)
  • Policy | Event Logs view
  • Policy | Replay Log view
  • Active Directory tab
  • Reports tab to access the Access and Privileges and Policy Changes reports
Reporting Members can run and view all reports and access a read-only view of all hosts.

  • View hosts (read-only)
  • View and produce any report

  • Hosts tab (view hosts only)
  • Active Directory tab
  • Reports tab to access reports

Note: Management Console for Unix does not allow you to add domain-local Active Directory groups to roles; you can only add security-enabled global and universal groups.

Add (or Remove) Role Members

Note: This task requires that you are logged in as the supervisor or an Active Directory account with rights to add or remove members of console roles; that is, an account in the Manage Console Access role.

To add additional Active Directory members or groups to a role

  1. From the top-level Settings menu, navigate to System settings | Console Roles and Permissions.
  2. Select a role and click Members...

    Note: If you are logged in as supervisor, the mangement console requires that you authenticate to Active Directory in order to select Active Directory users or groups to add members to a role.

  3. On the Role Members dialog, click Add....
  4. On the Select AD Object dialog, use the search controls to find and select Active Directory user(s) or group(s).
  5. Select one or more objects from the list and click OK.

    The mangement console adds the selected object(s) to the list.

  6. Click OK to save your selections.
  7. Click OK on the Console Roles and Permissions dialog to close System Settings and return to the mangement console.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating