Defining rights to run privileged commands

The most common reason for creating a command right is to allow users to execute commands that require privileges not granted to a standard UNIX user account. For example, you might want to grant some users permission to run Centrify command-line programs that require root privileges to better manage their own computers.

Defining command rights that grant elevated privileges is similar to granting access to privileged commands using the sudoers configuration file and the sudo program.

Steps for completing this task

The following instructions illustrate how to define a command right to execute a command with elevated privileges. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To define a command right for privileged access

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to define a command right.
  3. Expand Authorization and UNIX Right Definitions, then select Commands.
  4. Right-click, then click New Command.
  5. On the General tab, type a short descriptive name for the command right, and optionally, a more detailed description for the command right.

    The privileged command name is required and must not be more than 63 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (“).

  6. Type the command you want to add.

    The Command field is required and should include any parameters or options, if needed. You can also use wild cards or a regular expression to specify commands matching a particular pattern.

  7. Select the type of pattern matching to use for the “Command” and “Specific path” fields.

    • Select Glob expressions to use glob pattern matching syntax for wild cards.
    • Select Regular expressions to use extended regular expression pattern matching.

    For more information about pattern matching, see Selecting the pattern matching syntax.

  8. Select an appropriate path for matching the command on the different operating environments you support.

    • Select Standard user path to use the local operating system’s common set of user directories to find the command.
    • Select Standard system path to use the directories the root user would normally get on the local operating environment to find the command.
    • Select System search path if you want to search for the command in a predefined set of locations. The search locations are defined using the dzdo.search_path configuration parameter. If you select System search path and the dzdo.search_path parameter is not defined, the current user’s path is used to search for the command.
    • Select Specific path if you want to define a custom set of locations for finding the command specified. If you select this option, you can specify one or more paths, separated by a colon.

    If you are specifying a path, the path must start with a forward slash (/) unless you are matching all paths (*). For example, if the command you specify is ls and you set the path to *, the ls command from any path is allowed.

    If you set both the “Command” field and the “Specific path” field to match all strings (*), any command from any path is allowed.

  9. Specify an integer that determines the priority of the command — the lower the number, the higher the priority.

    If there are multiple commands that match the pattern you specified for the “Command” field, the priority determines which command has higher priority.

  10. Click the Run As tab, then select Can be used by dzdo to allow the command to be added to a role for privileged execution.
  11. Select the user or group accounts that can be used to execute the command.

    • Select Any User if any standard user account can be used to execute the command with dzdo.
    • Select One of the following users, uids, groups or gids if you want to specify one or more user or groups that can be used to execute the command with dzdo.

    In most cases, the local root account is the appropriate account to use because it allows ordinary users to execute the specified command using root account privileges. However, you can click Add to add other users, groups, or service accounts that can be used to execute the command. Use the format #UID for UID values, %group for group names, or %#GID for GID values.

    The account used to execute commands can be an Active Directory user with a UNIX profile in the zone or a local UNIX user account. However, the account used to log on and invokes the command using dzdo must be associated with an Active Directory account.

    Optionally, you can specify the primary groups can be used when executing the command using dzdo:

    • Select Any Group if any group can be used as the primary group when executing the command with dzdo.
    • Select One of the following groups, then click Add if you want to specify the groups that can be used as the primary group when executing this command with dzdo.

    You can also configure commands to be executed using dzdo in a restricted shell environment. For this example, however, the command right is only used in a non‑restricted shell environment.

  12. Click OK to save the new command right.

    In most cases, you can use the default settings for environment variables and execution attributes.