Chat now with support
Chat with Support

Safeguard Authentication Services 6.0.1 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

User Account Override policy

The User Account Override policy allows administrators to add users to the override list and selectively set account attributes for those users. This policy manages the Safeguard Authentication Services user-override file, which allows specified users to take on a different identity on a per-machine basis.

To add a user override entry

  1. Start Group Policy Editor.

  2. Navigate to the UNIX Settings > Safeguard Authentication Services > Identity Mapping node.

  3. Double-click User Account Override to open the User Account Override Properties dialog.

  4. Click Add.

    TheUser Account Override dialog opens initially with all fields disabled except the Apply To field.

  5. Enter the specific DOMAIN\sAMAccountName or a * in the Apply To field.

    NOTE:

    • A * indicates all Safeguard Authentication Services users.

    • Safeguard Authentication Services ignores a non-existent user in the Apply To field.

    Thus, only the Primary GID, Home Directory, and Login Shell fields are valid. All other fields are disabled.

  6. Click Browse.

    The Select User or Group dialog opens.

  7. Enter a user or group name to select. Or, type the first letter of a name and click Check Names for Group Policy to find Safeguard Authentication Services-enabled users in Active Directory. Once you locate the names, click OK and return to the User Account Override dialog.

  8. Enter override values for the Primary GID, Home Directory, and Login Shell user attributes and click OK.

    The entry displays in the list of account override settings. Scroll the list or adjust column widths to view all of the account settings.

  9. Click OK to save settings and close the dialog.

Group Account Override policy

By using Group Account Override, you can add local users to Active Directory groups. The Group Account Override policy allows administrators to append a group membership list to the list stored in Active Directory. You can also override the group name and GID (group ID) fields.

To add a group override entry

  1. Start Group Policy Editor.

  2. Navigate to the UNIX Settings > Safeguard Authentication Services > Identity Mapping node.

  3. Double-click Group Account Override to open the Group Account Override Properties dialog.

  4. Click the ... button next to the Windows Group box.

    The Select Group dialog displays.

  5. Enter a group name and click OK.

  6. Enter a new UNIX Group Name. The group will have this name on all UNIX agents linked to this policy. Leave this field blank if you do not want to override the group name.

  7. Under Members, type a user name in the User field and click Insert.

    Group Policy adds the local user name you specify to the group membership list.

  8. Click OK to return to the Group Account Override Properties dialog.

  9. Click OK to save settings and close the dialog.

Host Access Control policy

The Host Access Control policies give you fine-grained control over which users are allowed to log into the UNIX host.

Safeguard Authentication Services supports host access control through the users.allow and users.deny files. Safeguard Authentication Services consults these files to determine whether or not to allow access to a particular user. This is an effective way to restrict access to sensitive computers on the network when using decentralized user accounts such as Active Directory. Group Policy defines policies for management of the access control files.

Host access control entries are "append only" and cannot be overridden. However, if there is a duplicate entry, the entry is only added once to the access control files.

Configuring a User Allow Entry policy

The Configure a User Allow Entry policy manages the Safeguard Authentication Services users.allow file. This file controls which users are allowed to log in to the host machine. If any allow rules are set, then a user must be allowed access through one of the configured allow rules or the user is denied.

To set up an allow entry

  1. Navigate to the UNIX Settings > Safeguard Authentication Services > Access Control > node.

  2. Double-click users.allow Configuration in the result pane to open the users.allow Configuration Properties dialog:

    • Click Browse AD to add a container. All users under the specified container are allowed to log in unless a deny rule prevents it. All other users are denied login access unless another allow rule allows it.

    • Click Add Group to add a group. All group members are allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.

    • Click Add User to add a specific user. The specified user is allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.

    • Click Add Domain to add a domain. All users in the domain are allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.

    • Click Add Custom to add an item manually. You must specify the correct type for the item. All users associated with the specified item are allowed to log in unless a deny rule prevents it. All other users are denied log in unless another allow rule allows it.

  3. Click OK to save settings and close the dialog.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating