Viewing rights and roles

Access Manager allows you to view the status and effective rights for any Active Directory user or local user in a zone, whether they have been assigned a role or not. You can view detailed information about the rights and role assignments for users by using Show Effective UNIX User Rights. If a user is not assigned a role or does not have a complete user profile, be certain to select the Show omitted users option, otherwise, information will not be shown for the user.

Note:   Local users are defined in Access Manager in the zone and are saved in /etc/passwd on each computer in each zone where the profile is defined. Local users that you define in the zone do not need to be Active Directory users. For more information about local users, including information that is required for a user profile to be complete, see Creating user profiles.

To view rights for an individual user in Access Manager

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to view rights and other account details.
  3. Right-click, then select Show Effective UNIX User Rights.
  4. Select a computer or click Browse if you want to limit the information included to a specific computer.
  5. Select Show AD users and Show local users as necessary, depending on which users you want to view. One or both of these choices might already be selected, depending on the location from which you originally selected Show Effective UNIX User rights.
  6. Select Show omitted users to include users who have an incomplete profile or do not have a role assignment in the list of UNIX users.

    User information is displayed as shown in the following example. Key points about the information displayed are as follows:

    • Users with incomplete profiles are displayed in red (if Show omitted users is selected).
    • Local users are not required to have an AD name, resulting in a displayed AD Name value of N/A.
    • AD users are not required to have a UNIX profile, resulting in a displayed Profile State value of N/A.
    • For more information about the differences between AD users and local users, as well as details about profile states for local users, see Creating, modifying, and deleting user profiles for local users.

  7. Select a user to see more detailed information about the user’s profile, role assignments, and rights in the selected zone or on a specific computer:

    • Click Zone Profile to review the UNIX profile defined for a user and where the profile attributes are defined. If a user has an incomplete profile, you can click the Zone Profile tab to see which profile attributes are missing.
    • Click Role Assignments to review a user’s role assignments. The Object Assigned column indicates whether the role is explicitly assigned to the user (user@domain) or to a group the user is a member of (group@domain). The Location of Assignment column indicates the zone or computer role in which the assignment was made. Information for the Start Time, End Time, or both columns is only displayed if a role assignment has time constraints.
    • Click PAM Accesses to review the PAM application access rights for the user in the selected zone or on a specific computer, including the role to which the right belongs.
    • Click Commands to review the command access rights for the user in the selected zone or on a specific computer, including the role to which the right belongs.
    • Click SSH Rights to review the secure shell rights for the user in the selected zone or on a specific computer, including the role to which the right belongs.
  8. Click Close when you are finished reviewing user rights in a zone or on particular computers.