Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Role Property Variables

Privilege Manager roles (or profiles) define who, what, where, when, and how users are permitted to perform various privileged account actions using variable values in the policy configuration file. You set the values for these user-defined variables in global_profile.conf, the default Privilege Manager policy configuration file, using either a GUI editor or a text editor.

The following tables identify the policy variables associated with each GUI editor setting for both Privilege Manager roles and restricted shell roles. The Manage Defaults column indicates which variables you can set as global defaults using the Manage Defaults button on the GUI editor; you must use the text editor to set global defaults for variables marked "No". See Manage Role Defaults for details.

Table 5: General Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
General
    Description Both   pf_profiledescription No
    Enable role Both   pf_enableprofile No
    Trace level Both   pf_tracelevel Yes
    Enable keystroke logging Both   pf_enablekeystrokelogging Yes
    Keystroke log path Both   pf_iologdir Yes
    Disable password logging Both   pf_logpasswords Yes
    Password prompts Both   pf_passprompts Yes
Authentication
    Require authentication Both   pf_enableauthentication Yes
    Authenticate on host running command Both   pf_authenticateonclient Yes
    PAM service Both   pf_pamservice Yes
    Command line prompt Both   pf_pamprompt Yes
    Allow scp / non-interactive SSH Shell   pf_allowscp Yes
Table 6: What Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Commands
    Path on host Role   pf_authpaths Yes
    Commands Role   pf_authcmds Yes
    Allow commands from authorized submit hosts Role   pf_enableremotecmds Yes
Shell Commands
    Accept only commands Shell   pf_shellcommandsaccept No
    Reject commands Shell   pf_shellcommandsreject No
    Authorize shell builtins Shell   pf_checkbuiltins No
    Command rejection message Shell   pf_shellreject No
Pre-authorized Commands
    Commands allowed by shell Shell   pf_shellallow Yes
    Commands allowed only from pipe Shell   pf_shellallowpipe Yes
    Commands rejected by shell Shell   pf_shellforbid Yes
Table 7: Where Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Run Hosts
    Hosts where commands can run Both   pf_authrunhosts No
Submit Hosts
    Hosts where commands can be submitted Role   pf_authsubmithosts No
Forbidden Run Hosts
    Hosts where members are forbidden to run commands Role   pf_forbidrunhosts No
Forbidden Submit Hosts
    Hosts where members are forbidden to submit commands Role   pf_forbidsubmithosts No
Table 8: Who Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Users
    Users authorized to run commands Both   pf_authusers No
    Runas User Both   pf_authuser No
Groups
    Local and Unix-enabled AD groups Both   pf_authgroups No
    Runas Group Both   pf_authgroup No
    User must be member of authorized group Both   pf_useservergroupinfo No
AD Groups
    Non Unix-enabled AD Groups Both   pf_authgroupsad No
    Default AD Domain Both   pf_addomain No
Table 9: When Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Time Restrictions
    Restrict by day, date, time Both   pf_enabletimerestrictions Yes
    By Time Period Both   pf_restrictionhours Yes
    By Date Both   pf_restrictiondates Yes
    By Day of Week Both   pf_restrictiondow Yes
Table 10: How Settings
GUI Editor Setting Role/Shell Policy Variable Manage Defaults
Shell Settings
    PM secure shells allowed to run Shell   pf_allowshells Yes
    Run in restricted mode Shell   pf_restricted Yes
    Environment variables that cannot change Shell   pf_shellreadonly Yes
    Shell execution directory Shell   pf_shellcwd Yes
    Shell session PATH Shell   pf_shellpath Yes

Note: You can not manage the following variables using the GUI editor; you must use the text editor:

  • pf_cpolicy -- the path to a customer-specific pmpolicy file included after matching the user to a profile, but before authenticating the user. If configured, add this file to the repository, and identify it using a relative path (relative to the policy directory).
  • pf_realshell -- specifies the actual shell program to run, in the case of pmloginshell. Note: This variable is obsolete in vr 5.6.0 and only provided here only for reference to the obsolete vr 5.5.2 pmloginshell program.
  • pf_forbidsubmithostsad -- Active Directory host groups where members are forbidden to submit commands.
  • pf_authsubmithostsad -- Active Directory host groups where commands can be submitted.
  • pf_forbidrunhostsad -- Active Directory host groups where members are forbidden to run commands.
  • pf_authrunhostsad -- Active Directory host groups where commands can run.

Add a New Privilege ManagerPrivilege Manager Role

To create a new Privilege Manager role

  1. From the PM Policy Editor view, click the Add Role button.
  2. From the Select Role Type dialog, choose Privilege Manager Role and click OK.

    The New Role dialog displays and allows you to specify:

    • General Settings
      • General Settings
      • Authentication Settings
      • User Defined Variables
    • What Settings
      • Commands
    • Where Settings
      • Run Hosts Settings
      • Submit Hosts Settings
      • Forbidden Run Hosts Settings
      • Forbidden Submit Hosts Settings
    • Who Settings
      • Users Settings
      • Groups Settings
      • AD Groups Settings
    • When Settings
      • Time Restrictions Settings

    See Override Role Property Defaults for more information about specifying role-specific overrides for a specific property.

Add a New Privilege Manager Restricted Shell Role

To add or modify shell roles

  1. From the PM Policy Editor view, click the Add Role button.
  2. From the Select Role Type dialog, choose Privilege Manager Restricted Shell Role and click OK.

    The New Role dialog displays and allows you to specify:

    • General Settings
      • General Settings
      • Authentication Settings
      • User Defined Variables
    • What Settings
      • Shell Commands
      • Pre-authorized Commands
    • Where Settings
      • Run Hosts Settings
    • Who Settings
      • Users Settings
      • Groups Settings
      • AD Groups Settings
    • When Settings
      • Time Restrictions Settings
    • How Settings
      • Shell Settings

    See Override Role Property Defaults for more information about specifying role-specific overrides for a specific property.

Add New Privilege Manager Role Based on an Existing Role

To add a new role based on an existing role

  1. From the PM Policy Editor view, click the Add Role button.

  2. From the Select Role Type dialog, choose Use an existing role as a template for the new role.

  3. Select an existing role to use as the template and click OK.

    Refer to Default Roles (or Profiles) for a description of the roles provided by Privilege Manager for Unix.

Related Documents