Privilege Manager roles (or profiles) define who, what, where, when, and how users are permitted to perform various privileged account actions.
When you open a PM Policy file for editing, it lists the roles associated with the policy using the following icons:
|
Note: If a role is disabled, it is grayed out; if a role currently has an error, it has a red "x" icon, |
From the Privilege Manager Roles view, you can perform the following tasks:
View and modify privileged account actions for a role.
Type of roles you can add include:
Shell roles manage host access with secure shells.
Opens a different version of the policy making that version the active policy.
Review all policy modifications.
Define policy defaults as global settings for all Privilege Manager roles.
By default, Privilege Manager for Unix provides the following role profiles:
Permits the root user on any host to submit any standard or 'normal' (that is, not a Privilege Manager Shell program) command as the root user on the local host.
Permits any user on any host to submit the id and the whoami commands as the root user on the local host.
Permits users in the helpdesk UNIX group, on any host, to reset (change) any user's password on the local host by running the passwd command as root.
Permits users in the webadmin UNIX group to start and stop the Apache webserver on the local host.
Permits any user to run a 'wrapped' standard shell program which enables keystroke logging for all commands the user runs.
Permits any user to run any restricted Privilege Manager Shell program as the root user on the local host.
|
Note: Because the shell runs in restricted mode, the following restrictions apply:
|
|
Note:
|
Permits the root user to run any Privilege Manager Shell program in unrestricted mode, as the root user on the local host.
|
Note:
|
|
Note:
|
Once you open a Privilege Manager policy, the console lists the roles and restricted shell roles associated with it.
To modify Privilege Manager role properties
To find a particular policy role,
|
Note: Disabled roles are greyed out. However, you can modify or delete disabled roles. |
When a role opens, the Edit Role dialog displays.
See Add a New Privilege Manager Role or Add a New Privilege Manager Restricted Shell Role for details about the role properties.
If a role property has a global default, it will be indicated by the "default override" check box to the left of the property, in a green background, and the default role property to the right, in a disabled state. If a property does not have a "default override" check box, there is no global default for that property. For example, the following screen indicates the Enable role property does not have a global default, but the Enable keystroke logging property does. The default for the Enable keystroke logging property is "Enabled".
To override a global default
Select the override check box, change the role property, as needed, and click OK.
When you override the global default, the value you specify takes precedence over the global default and remains effective even if the global default changes.
|
NoteS:
|
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy