Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Managing Security Policy

The security policy lies at the heart of Privilege Manager. It stipulates which users may access which commands with escalated privileges. Privilege Manager guards access to privileged functions on your systems according to rules specified in the security policy.

Privilege Manager for Unix supports two security policy types:

  • sudo policy type – (default) uses a standard sudoers file as its security policy; that is, the sudo policy is defined by the sudoers file which contains a list of rules that control the behavior of sudo. The sudo command allows users to get elevated access to commands even if they do not have root access.
  • pmpolicy type – uses an advanced security policy which employs a high-level scripting language to specify access to commands based on a wide variety of constraints. Privilege Manager policy is defined by pm.conf, the default Privilege Manager policy configuration file which contains statements and declarations in a language specifically designed to express policies concerning the use of root and other controlled accounts.

Management Console for Unix gives you the ability to centrally manage policy located on the primary policy server. You view and edit both types of policy from the Policy tab on the mangement console.

Note: To manage policy, you must log in either as the supervisor or an Active Directory account with rights to edit the policy file; that is, an account in the Manage Sudo Policy or Manage PM Policy roles.

Open Policy Files

To open a policy

  1. From the mangement console, navigate to the Policy tab and select either the Sudo Policy Editor view or the PM Policy Editor view.

    To use the Sudo Policy Editor or the PM Policy Editor, you must first add and profile a Privilege Manager policy server, configure the service account, and activate the policy group in the mangement console. (See Activate Policy Groups for details.)

  2. From the Open menu, select either:
    1. Current version to open the latest saved version of the policy that is currently in use by the mangement console for a policy group.
    2. Version to open the Open Version dialog from which you select a policy group and a version of a policy and click OK to open the file.

    Note: If it does not open, see Java Applet Failures for information about troubleshooting policy editor issues.

  3. Once the policy is open you can modify it.

    Note: See Edit Panel Commands for more information about editing the policy in the text editor.

  4. After you modify the policy, save it.

    The policy is saved as a new version.

Rolling Back the Policy File

To revert back to a specific version of the policy file

  1. From the Open menu, select Version... to open the Open Version dialog.
  2. Select a policy group and a version of a policy and click OK.
  3. After you modify the policy, save it, accepting the warning message to save over the existing policy.

    The policy file is saved as a new version; not as the version number that you opened.

Edit Panel Commands

You can make changes to the policy in the text editor by either typing in changes or using the commands in the Edit panel to insert, copy, or paste text; check for errors; or disable/enable syntax highlighting.

As you edit a policy, the Errors pane lists syntax errors by line and column number. You can double click an error to navigate directly to the line containing the error.

To use the commands in the Edit panel to modify the policy file

  1. Open the Insert menu and select one of these options:

    1. Insert Local User to open the Select Local User dialog.
    2. Insert Local Group to open the Select Local Group dialog.
    3. Insert AD User to open the Select AD User dialog.
    4. Insert AD Group to open the Select AD Group dialog.

      Note: The Select AD... dialogs allow you to select a container from which to begin the search.

      The AD options are only available if you are logged in as an Active Directory user with rights to edit the policy file; that is, an account in the Manage Sudo Policy or Manage PM Policy role. Non-Unix-enabled groups require that you configure the Authentication Services sudo_vas group provider module. (See Configuring Sudo Access Control in the Authentication ServicesAdministration Guide for details.)

    5. Insert Host to open the Select host dialog.
    6. Insert Alias to open the Select Alias dialog (only available in the Sudo Policy Editor.)

      Note: The Select Alias dialog allows you to filter the list of Alias names by:

      • All Aliases
      • Command Alias
      • Host Alias
      • Runas Alias
      • User Alias
    7. Insert List to open the Edit Entries dialog (only available in the PM Policy Editor).

      The Edit Entries dialog allows you to insert lists of data either manually, pasted from another file, or imported from a file. Separate multiple items with commas, for example:

      Fred, Ethel, Lucy

      The Insert List option allows you to copy and paste a comma-delimited lists into the text box and will automatically add the list of data objects with quotes around each individual entry. For example, if you paste the following into the Add entries box:

      /usr/bin/kill,/usr/bin/cp,/usr/bin/passwd,/usr/bin/head

      when you click Add, the console lists the entries and puts quotes around each one, like this:

      Once you have the objects listed on the Edit Entries dialog, click OK to include them in the policy.

      Note: For more information about the Edit Entries dialog, click the help link.

  2. Click the Error Check button to validate the formatting and syntax of the policy file.

    Note: When checking sudo policy for errors, note that the #include and #includedir directives are currently ignored by Privilege Manager for Sudo. Remove or comment out any #include or #includedir directives in your sudo policy. Error-checking of policy files that contain a #include or #includedir may generate false errors. It is safe to ignore such errors when saving the sudo policy, but it is best practice to remove or comment out such directives.

    The Errors pane is located across the bottom of the Edit Policy view and provides feedback on any syntax errors encountered when you click the Error Check button. You can double click an error to navigate directly to the line containing the error.

  3. Select the Highlight Syntax option to view color-coded syntax.

    Note: Managing large policy files may affect the policy editor performance. (See Policy Editor Runs Slow for troubleshooting tips.)

  4. Use the controls in the Search panel to search for keywords in the policy file.

    Type a text string and click Next or Previous.

Related Documents