Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Installation Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Installing and joining from the Unix command line Getting started with Authentication Services Troubleshooting Enterprise package deployment

Access & Privileges reports

NOTE: The Access & Privileges reports do not report on users and groups from a NIS domain.

Table 25: Access & Privileges reports
Report Description
Access & Privileges by Host

Identifies all users with log-on access to hosts and the commands the users can run on the hosts. This report includes the following information:

  • Total number of users that can log on to the host
  • The users that can log on to the host
  • The commands users can run on the host
  • The runas aliases for which the user can run commands on the host
  • The commands the runas alias can run on the host

Browse to select a host.

Optionally, select the Show detailed report option.

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.

Access & Privileges by User

Identifies the users with log-on access to hosts, the commands that user can run on each host, and the "runas aliases" information for that user. This report includes the following information:

  • Total number of hosts where the user can logon
  • The hosts where the user can logon
  • The commands the user can run on each host
  • The runas aliases for which the user can run commands on each host
  • The commands the runas alias can run on each host

Use the following report parameters to specify the user to include in the report:

  • A local user (default)
  • An AD user

Browse to select a user.

Optionally select the Show detailed report option.

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.

Commands Executed

Provides details about the commands executed by users on hosts joined to a policy group, based on their privileges and recorded as events or captured in keystroke logs by Privilege Manager. This report allows you to search for commands that have been recorded as part of events or keystroke logs for a policy group and includes the following information:

  • Command name
  • User who executed the command
  • Date and time the command was executed
  • Host where the command was executed

Use the following report parameters to define details in the report:

  • Policy Group
  • Command
  • Host
  • Log status
  • Date

NOTE: You can use wildcards in the text string you enter in the Command box, such as * and ?.

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.

Console Access and Permissions

Lists users who have access to the mangement console based on membership in a console role and the permissions assigned to that role. This report includes the following information:

  • List of roles
  • List of permissions assigned to each role
  • List and number of members assigned to each role

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Console Access role. However, when you access this report as supervisor, the mangement consolerequires that you authenticate to Active Directory.

Logon Policy for AD User

Identifies the hosts where Active Directory users have been granted log-on permission. This report includes the following information for hosts joined to an Active Directory domain:

  • Total number of hosts where the AD user has access
  • List of hosts where the AD user has access

Specify the Active Directory users to include in the report:

  • All AD users (default)
  • Select AD user

Browse to search Active Directory to locate and select an Active Directory user.

NOTE: The report might show both the Active Directory login name and local user name(s) in the Login Name column for a selected AD user account because an Active Directory user account can have one or more local user accounts mapped to it.

NOTE: Only hosts joined to an Active Directory domain with a Authentication Services 4.x agent are included in this report.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.

Logon Policy for Unix Host

Identifies the Active Directory users that have been explicitly granted log-on permissions for one or more Unix computers. This report includes the following information for hosts joined to an Active Directory domain:

  • Host Name, DNS Name or IP Address of the host selected for the report
  • Users that have been granted permission to log on

Specify the managed hosts to include in the report:

  • All profiled hosts (default)
  • Select host

Browse to locate and select a managed host that is joined to Active Directory.

NOTE: This report only includes hosts joined to an Active Directory domain with a Authentication Services 4.x agent.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.

Policy Changes

Provides details of changes made to a policy for a Privilege Manager policy group. This report includes the following information:

  • Name of the user that made changes to the policy
  • Version number for the changes
  • Time and date the changes were saved and actively used to enforce policy
  • Changes made to the policy based on version

Select a policy group.

Select to:

  • Show all changes to the policy
  • Show only changes for a specific pmpolicy file (not available for sudo-based policy)
  • Show changes to the policy for changes for one or more revisions

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.

Product Licenses Usage reports

Table 26: Product licenses usage reports
Report Description
Product License Usage

Provides a summary of all licensing information. This report includes the following information for hosts managed by the console:

  • Product
  • Purchased licenses
  • Used licenses

Use Authentication Services PowerShell

Authentication Services includes PowerShell modules which provide a "scriptable" interface to many Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.

You can perform the following tasks using PowerShell cmdlets:

  • Unix-enable Active Directory users and groups
  • Unix-disable Active Directory users and groups
  • Manage Unix attributes on Active Directory users and groups
  • Search for and report on Unix-enabled users and groups in Active Directory
  • Install product license files
  • Manage Authentication Services global configuration settings
  • Find Group Policy objects with Unix/Mac OS X settings configured

Using the Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.

Unix-enable a user and user group

To Unix-Enable a user and user group

  1. From the Control Center, navigate to Tools | Authentication Services.
  2. Click Authentication Services PowerShell Console.

    Note: The first time you launch the PowerShell Console it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this you will never be asked this question again on this machine.

  3. At the PowerShell prompt, enter the following:
    Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

    Note: You created the UNIXusers group in a previous exercise. (See Add an Active Directory group account.)

    Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:

    ObjectClass              : group
    DistinguishedName        : CN=UNIXusers,CN=Users,DC=example,DC=com
    ObjectGuid               : 71aaa88-d164-43e4-a72a-459365e84a25
    GroupName                : UNIXusers
    UnixEnabled              : True
    GidNumber                : 1234567
    AdsPath                  : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
                               DC=example,DC=com
    CommonName               : UNIXusers
  4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
    Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567

    The Unix properties of the user display:

    ObjectClass              : user
    DistinguishedName        : CN=ADuser,CN=Users,DC=example,DC=com
    ObjectGuid               : 5f83687c-e29d-448f-9795-54d272cf9f25
    UserName                 : ADuser
    UnixEnabled              : True
    UidNumber                : 80791532
    PrimaryGidNumber         : 1234567
    Gecos                    :
    HomeDirectory            : /home/ADuser
    LoginShell               : /bin/sh
    AdsPath                  : LDAP://windows.example.com/CN=ADuser,CN=Users,
                               DC=example,DC=com
    CommonName               : ADuser
  5. To disable the ADuser user for Unix login, at the PowerShell prompt enter:
    Disable-QasUnixUser ADuser

    Note: To completely clear all Unix attribute information, enter

    Clear-QasUnixUser ADuser

    Now that you have Unix-disabled the user, that user can no longer log into systems running the Authentication Services agent.

  6. From the Control Center, under "Login to remote host", enter:
    • the Unix host name in the Host name box
    • the Active Directory user name, ADuser, in the User name box

    and click Login to log onto the Unix host with your Active Directory user account.

    A PuTTY window displays.

    Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.

  7. Enter the password for the Active Directory user account.

    You will receive a message that says, "Access denied".

Related Documents