Change Supervisor Account Password
You can change your supervisor account password in System settings when you are logged in as supervisor.
To change supervisor account password
-
Log onto the mangement console using the supervisor account.
-
From the top-level Settings menu, navigate to System settings | General | Change Password.
-
Enter your current supervisor account password and the new password.
-
Click OK to save your changes and close System Settings.
|
|
Note: If you have forgotten the current supervisor account see Reset the Supervisor Password for more information on resetting your supervisor password. |
Set Custom Privilege Elevation Commands
You can specify up to three custom privilege elevation commands to use when performing tasks on hosts that require elevated privileges.
To set custom privilege elevation commands
-
From the top-level Settings menu, navigate to System Settings | General | Custom Privilege Elevation.
-
In the Custom Elevation box, enter the elevation command and any optional parameters required by the command. For example:
/opt/quest/bin/pmrun
Note: Enter the full path to the command if the command is not in the system's path.
-
Optionally, select the Use single quotes for command arguments option if the command requires arguments in quotes.
For example, the sudo command does not require arguments in quotes, like this:
# sudo echo bob
Whereas the su command does require arguments in quotes, like this:
# su root -c "echo bob"
-
To specify another user instead of root when performing tasks on hosts that require elevated privileges, replace root with "%s" as in:
# su %s -c "echo bob"
Enter "%s" to specify a user name other than root to use elevated credentials. In the Log On To Host dialog, when you select the Use elevated credentials option, you can replace root with another account in the User name field.
-
Optionally, click Test to validate that the command works.
On the Test Privileged Elevation Command dialog,
-
Enter or select a host where the command exists.
-
Enter user credentials and click Test.
A message displays to explain whether the test was successful or not.
-
-
Click OK to save the changes.
When a test for a command completes successfully, it becomes available on the Log On To Host dialog. (Search for Log On To Host in the online help for details.)
Console Roles and Permissions System Settings
What a user sees in the mangement console is based on the rules that pertain to the console role the user is assigned. A user can only access and perform tasks specified for his role(s). The default supervisor account is a member of all roles, however, that account is blocked from performing Active Directory tasks because the supervisor does not have Active Directory credentials.
|
|
Note: While all console roles, except supervisor, have permission to view the Active Directory tab, to perform certain Active Directory tasks, such as Unix-enabling an Active Directory user or group, the AD user assigned to the role must have the appropriate rights in Active Directory. |
To access and perform tasks within the mangement console, assign users to one or more of the following console roles:
|
|
Note: All roles run reports. See Reports for more information about the reports that are available for each role. |
| Role | Description | Default Permissions | Available UI |
|---|---|---|---|
| Manage Hosts | Members can add, view, and manage hosts, as well as run reports. |
|
|
| Manage Sudo Policy | Members can view and edit the sudoers policy file, run reports, and access a read-only view of all hosts. |
|
|
| Audit Sudo Policy | Members can audit sudo policy through reports, replay keystroke logs, and access a read-only view of all hosts. |
|
|
| Console Administration | Members can modify console System Settings and access a read-only view of all hosts. |
|
|
| Manage Console Access | Members can add and remove members of console roles, run reports, and access a read-only view of all hosts. |
|
|
| Manage PM Policy | Members can view and edit the Privilege Manager policy, run reports, and access a read-only view of all hosts. |
|
|
| Audit PM Policy | Members can audit Privilege Manager policy through reports, replay keystroke logs, and access a read-only view of all hosts. |
|
|
| Reporting | Members can run and view all reports and access a read-only view of all hosts. |
|
|
|
|
Note: Management Console for Unix does not allow you to add domain-local Active Directory groups to roles; you can only add security-enabled global and universal groups. |
Add (or Remove) Role Members
|
|
Note: This task requires that you are logged in as the supervisor or an Active Directory account with rights to add or remove members of console roles; that is, an account in the Manage Console Access role. |
To add additional Active Directory members or groups to a role
- From the top-level Settings menu, navigate to System settings | Console Roles and Permissions.
- Select a role and click Members...
Note: If you are logged in as supervisor, the mangement console requires that you authenticate to Active Directory in order to select Active Directory users or groups to add members to a role.
- On the Role Members dialog, click Add....
- On the Select AD Object dialog, use the search controls to find and select Active Directory user(s) or group(s).
- Select one or more objects from the list and click OK.
The mangement console adds the selected object(s) to the list.
- Click OK to save your selections.
- Click OK on the Console Roles and Permissions dialog to close System Settings and return to the mangement console.