Predefined role definitions

In addition to the predefined UNIX Login role, there are several predefined role definitions that are available by default in every zone. For Linux and UNIX computers, the following predefined role definitions are available:

  • listed makes a user profile visible in a zone but does not grant any type of access rights, PAM rights, or command rights. This is a specialized role that can be used when a user profile must exist for computers in a zone, but no local or remote access should be granted. For example, if a user owning files on a computer in a zone should no longer have access to the computers in the zone, you can assign the listed role so that the files continue to have an owner, but the user has no effective logon rights in the zone.
  • local listed makes a local user profile visible in a zone but does not grant any type of access rights. This is a specialized role that can be used when a user profile must exist for computers in a zone, but no user access should be granted. For example, if a user owning files on a computer in a zone should no longer have access to the computers in the zone, you can assign the listed role so that the files continue to have an owner, but the user still has no effective rights in the zone.
  • require MFA for login forces two-step authentication for access. This role does not grant access to any PAM applications but can be used in combination with the UNIX Login role to require users who are assigned to both roles to provide more than one form of authentication. You can also use this role with custom roles that grant access to specific applications if you want to require multi-factor authentication for those applications. You should note that using this predefined role definition requires additional configuration outside of Access Manager. For more information about what is required to support multi-factor authentication, see Requiring multi-factor authentication to log on.
  • Rescue - always permit login enables users to log on to computers if there are problems with the authentication, authorization, or auditing service that are preventing other users from logging on. For example, if auditing is required on a computer and the auditing service is not available, only users assigned to a role with the “rescue” system right will be able to log on.
  • scp grants secure copy (scp) access rights.
  • sftp grants secure file transfer (sftp) access rights.