System rights are always associated with a role definition, whether it is a predefined role such as the UNIX Login role or a custom role you create. You can enable or disable specific system rights in any role definition, but you cannot add, modify, or delete the rights themselves. For Linux and UNIX computers, you can select the following system rights for any role:
- Password login and non password (SSO) login are allowed: Specifies that a user is allowed to log on interactively using a password or without a password using a single sign-on token.
- Non password (SSO) login is allowed: Specifies that a user is allowed to log on using a single sign-on token.
- Account disabled in AD can be used by sudo, cron, etc.: Specifies that an account that is disabled in Active Directory is allowed to access the computer. This right is intended to allow service accounts that run without a password to perform operations.
- Login with non-Restricted Shell: Controls whether a user gets a standard shell or is forced into a restricted shell. Users must be assigned at least one role with this right to have access to a standard shell environment. A restricted shell only allows a user to execute explicitly defined commands.
In addition to the platform-specific system rights, there is a system right that allows users to bypass auditing or role restrictions to log on when there are problems on a computer. By selecting the Rescue rights option you can allow users in a particular role to log on in situations when all users would normally be locked out. For example, if authentication, authorization information, or auditing is required but not available, most users are prevented from logging on. You can use the rescue rights option to allow selected administrators to access the computer and fix the issues that are preventing other users from logging on.
Note: If you do not explicitly set the Allow users assigned to this role to log on if problems with authentication, authorization or auditing services prevent logon access rescue right option for any users, only the local root account will have rescue rights. The root account is always allowed to log on by default.