Creating a role to run commands with elevated privileges

On most Linux and UNIX computers, you can identify commands that require elevated permissions, who can run those commands, and where different users or groups can run the commands using a sudoers configuration file. Users who have been granted the appropriate permissions can run privileged commands by invoking the sudo command.

Centrify provides similar functionality, but the commands are configured by defining command rights, adding the rights to the appropriate roles, and assigning the roles to different users and groups. Users who have been assigned the appropriate roles can then run privileged commands by invoking the dzdo command.

If users are assigned the predefined UNIX Login role, they have access to all of the standard command-line programs that are available to ordinary UNIX users. You can create a separate role for commands that run using root or another privileged user account. Alternatively, you can combine command rights and system rights in a custom role definition or by adding the command rights to the default UNIX Login role.

Command rights that allow users to execute commands with elevated privileges should only be added to roles with the Login with Non-Restricted Shell system right.

Users must execute command rights that grant elevated privileges using the dzdo command. If you selected the Re-authenticate current user option as an execution attribute when defining a command right, users must also provide the password for their own account, their own password and one or more other forms of authentication, or the types of authentication determined by the authentication profile configured in Privileged Access Service, which might or might not involve providing a password.

If you selected the Re-authenticate using the target user’s password option as an execution attribute when defining a command right, users must also provide the password for the account used to execute the command.

To create a role that can execute commands with elevated privileges, do the following:

  • Create command rights for the privileged commands users are allowed to run.
  • Create a new role definition and set the System Rights for the role to allow password login, non‑password login, or both, and select the Login with Non-Restricted Shell option, then click OK to save the role definition.
  • Right-click the role, select Add Right, then select login-all or a specific PAM access right and the privileges command rights users are allowed to run, then click OK to save the changes to the role definition.

For more information about creating, assigning, and testing custom role definitions, see Customizing command execution attributes.