Adding specific PAM access rights

PAM access rights control who can access specific PAM-enabled applications in the zone where they are created and any child zones of that zone. You can add as many PAM Access rights as you need to identify the specific PAM-enabled applications users can access. For example, you can add PAM access rights to control who can use file transfer protocol (ftp) services on specific computers.

If you want to grant rights to specific PAM applications, however, you must know the appropriate application name on the specific computers you support. For example, if you want to allow Active Directory users to log on and use a default shell, you might create a PAM access right for the login program and for a graphical desktop manager such as gdm.

What to do before creating a new access right

Before creating a new PAM access right, you should review the operating system of the computers in the zone where you plan to create the new right. The application name might be different on computers with different operating systems. If you are creating separate rights for individual PAM applications, keep in mind that users must have at least one PAM access right or they will not be able to log on to any computers.

Rights required for this task

You can create new PAM access rights if you have been delegated the “Manage roles and rights” administrative task in the Zone Delegation Wizard. If you have not been delegated this task, your user account must be a domain user with the following permissions:

Select this target object To apply these permissions

Authorization

Click the Properties tab, then select Allow for the following properties:

  • Write msDS-AzApplicationData

msDS-OpObjectContainer

This object is listed under a globally unique identifier (GUID) for the Authorization object.

On the Object tab, select Allow to apply the following permissions to this object:

  • Create msDS-AzOperation objects

Click the Properties tab, then select Allow for the following properties:

  • Read objectClass

Who should perform this task

In most cases, a UNIX administrator or a delegated zone administrator familiar with PAM applications and the operating system of the managed computers performs this task, depending on your organization’s policies.

How often you should perform this task

It is common to add new PAM access rights over time as the need arises and as you develop more granular control over the specific rights different users should be granted.

Steps for completing this task

The following instructions illustrate how to add a PAM access right using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To define a PAM access right using Access Manager:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name that will contain the new PAM access right.
  3. Expand Authorization, then expand UNIX Right Definitions.
  4. Select PAM Access, right-click, then click Add PAM Access Right.
  5. Type a name for the access right.

    The name of the access right can be the same as the PAM application name, or any name that is easily identifiable.

  6. Type the name of the PAM-enabled application for which you want to create an access right.

    You can use wildcards to perform pattern matching for the application name. For example, you can specify *ftp* to match all PAM-enabled applications containing the string ftp, such as vsftpd, ftpd, and ftp.

    The Application Name field supports glob pattern matching syntax. For example, the name can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). For more detailed information about using wildcard patterns and glob syntax, see the glob man page.

    You should note that application names vary depending on the local operating system where the application is accessed. For example, the following table lists several common PAM-enabled applications and the appropriate application name to use on different platforms.

    For this application On Use this name

    telnet

    Common Linux platforms, such as Red Hat, Debian, SuSE, Centos, and Ubuntu, HP-UX, and Irix

    login

     

    Sun Solaris

    telnet

     

    VMware ESX, Oracle Linux, Scientific Linux

    remote

    ftp

    Common Linux platforms, such as Red Hat, Oracle Linux, and Scientific Linux, and VMware ESX

    vsftpd

     

    Some Linux platforms, such as Debian, Centos, and Ubuntu, Sun Solaris, HP-UX, Irix

    ftp

    graphical desktop

    Common Linux platforms, such as Red Hat, Debian, Oracle Linux, Centos, Scientific Linux, and Ubuntu

    gdm

     

    Sun Solaris and HP-UX

    dtlogin

     

    SuSE and Irix

    xdm

    ssh

    Most platforms

    sshd

     

    Debain and Ubuntu

    ssh
  7. Type an optional description of the access right.
  8. Click OK to save the PAM access right.

What to do next

After you define a new PAM access right, you might want to create a new role definition and add this right to it in the current zone or in a child zone. You must add the right to a role to test its operation.