Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Editing PM Policy Files

Privilege Manager roles (or profiles) define who, what, where, when, and how users are permitted to perform various privileged account actions.

When you open a PM Policy file for editing, it lists the roles associated with the policy using the following icons:

  • Privilege Manager Role
  • Privilege Manager Restricted Shell Role

Note: If a role is disabled, it is grayed out; if a role currently has an error, it has a red "x" icon, .

From the Privilege Manager Roles view, you can perform the following tasks:

  1. Properties

    View and modify privileged account actions for a role.

  2. Add Role

    Type of roles you can add include:

    • Privilege Manager Roles
    • Privilege Manager Restricted Shell Roles

      Shell roles manage host access with secure shells.

    • New role based on an existing template
  3. Delete Role
  4. Change Version

    Opens a different version of the policy making that version the active policy.

  5. Policy Change Report

    Review all policy modifications.

  6. Manage Defaults

    Define policy defaults as global settings for all Privilege Manager roles.

Default Roles (or Profiles)

By default, Privilege Manager for Unix provides the following role profiles:

  • Privilege Manager Roles
    • admin

      Permits the root user on any host to submit any standard or 'normal' (that is, not a Privilege Manager Shell program) command as the root user on the local host.

    • demo

      Permits any user on any host to submit the id and the whoami commands as the root user on the local host.

    • helpdesk

      Permits users in the helpdesk UNIX group, on any host, to reset (change) any user's password on the local host by running the passwd command as root.

    • webadmin

      Permits users in the webadmin UNIX group to start and stop the Apache webserver on the local host.

  • Privilege Manager Restricted Shell Roles
    • qpm4u_login

      Permits any user to run a 'wrapped' standard shell program which enables keystroke logging for all commands the user runs.

    • restricted

      Permits any user to run any restricted Privilege Manager Shell program as the root user on the local host.

      Note: Because the shell runs in restricted mode, the following restrictions apply:

      • PATH, ENV and SHELL variables are read-only
      • User cannot change directory
      • User can only run programs in $PATH
      • User cannot run a command identified by an absolute/relative path
      • User cannot use I/O redirection

      Note:

      • Shell built-in commands are checked as well as normal executable commands.
      • A specified list of “dangerous” commands are forbidden, such as passwd, shutdown, and kill.
      • A specified list of benign commands are permitted without authorization.
      • A specified list of benign commands are permitted without authorization if the input to the command is from a pipe.

    • root

      Permits the root user to run any Privilege Manager Shell program in unrestricted mode, as the root user on the local host.

      Note:

      • Shell built-in commands are permitted without authorization.
      • Certain benign commands are permitted without authorization if the input to the command is from a pipe.
      • Commands within a specified list are forbidden without authorization.

Note:

  • Only the admin, demo, root, and qpm4u_login profile roles are enabled by default. You can enable (or disable) a profile role by selecting the Enable keystroke logging option in the role General Settings.
  • The Access & Privilege Reports provide information about what commands a user is allowed to run from each profile. (See Access & Privileges Reports for details.)

Modify Privilege Manager Role Properties

Once you open a Privilege Manager policy, the console lists the roles and restricted shell roles associated with it.

To modify Privilege Manager role properties

  1. From the PM Policy Editor view, double-click a role, select it and click Properties, or right-click the role and choose Properties from the context menu.

    To find a particular policy role,

    • Type a string in the Search for role box for either a name or a description. (This is case sensitive and searches dynamically.)
    • Sort or filter the list of roles by type (enabled roles, disabled roles, enabled shell roles, or disabled shell roles) from the Role state column represented with the exclamation mark (!).
    • Click a column title to sort the list of roles by name or description.

    Note: Disabled roles are greyed out. However, you can modify or delete disabled roles.

    When a role opens, the Edit Role dialog displays.

    See Add a New Privilege Manager Role or Add a New Privilege Manager Restricted Shell Role for details about the role properties.

Override Role Property Defaults

If a role property has a global default, it will be indicated by the "default override" check box to the left of the property, in a green background, and the default role property to the right, in a disabled state. If a property does not have a "default override" check box, there is no global default for that property. For example, the following screen indicates the Enable role property does not have a global default, but the Enable keystroke logging property does. The default for the Enable keystroke logging property is "Enabled".

To override a global default

  1. Select the override check box, change the role property, as needed, and click OK.

    When you override the global default, the value you specify takes precedence over the global default and remains effective even if the global default changes.

    NoteS:

    • If you leave the global override check box deselected, the role uses the global default automatically. In the example above, the new role will have keystroke logging enabled and create the keystroke log in /var/opt/quest/qpm4u/iolog/ even though the override check boxes are not selected. If you always want keystroke logging to be enabled for this role even if the global default is changed in the future, select the override check box and leave the Enable keystroke logging option selected.
    • You can set a global default for the Enable role property, applicable to all roles, using the text editor. See Manage Role Defaults for details.
Related Documents