Combining rights into role definitions

Rights can be combined in a variety of ways to accomplish different goals. In general, however, role definitions fall into one of these broad categories:

  • Roles that grant access to one or more PAM applications and a standard UNIX shell.

    With this type of role, Active Directory users can log on using all or a specified PAM application, such as login or ftp, and execute commands that are commonly available to non-administrative users. This type of role can only be assigned to Active Directory users or groups.

  • Roles that grant users additional privileges to execute administrative commands and perform administrative tasks they would not be able to perform with a standard user account.

    With this type of role, users can temporarily elevated their privileges to execute administrative commands by first invoking the dzdo command, which is similar to sudo. This type of role can be assigned to Active Directory users or to local users.

  • Roles that provide access to a specific subset of shell commands in a customized restricted environment shell (dzsh).

    With this type of role, users can execute the commands explicitly defined for them in a restricted shell environment. This type of role can be assigned to Active Directory users or to local users.

In preparing role definitions for different groups of users, you should keep in mind that the rights from multiple role assignments accumulate. For example, you could use one role definition to control login rights, and another role definition to specify a set of privileged commands. By separating login rights from privileged access rights, not every role definition requires PAM application or UNIX system rights.