Define command rights to prevent the use of commands

The steps for defining rights that deny access to specific commands are similar to the steps defining other rights, but require different syntax. In this example, you create a “blacklist” of commands users cannot execute.

To create the right to switch to the root user:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new command right.
  3. Expand Authorization > UNIX Right Definitions.
  4. Select Commands, right-click, then click New Command.
  5. On the General tab, type a name, such as No password resets, for this command right and, optionally, a description for this right, then define the right:

    • Type !passwd * in the Command field.
    • Verify Standard user path is selected.

    An exclamation point (!) at the start of a command disallows matching commands. Command rights that start with the exclamation point take precedence over others that don’t.

  6. Click the Restricted Shell tab and verify Can be used in a restricted role and User running the command are selected.

    These options enable you to use this command right in combination with other rights in a role definition that requires a restricted shell environment.

  7. Click the Run As tab and verify Can be used by dzdo and Any user are selected, then click OK.

    In most cases, you can leave the default settings for the other properties. If you want to make changes, click the Environment and Attributes tabs before saving the new command.

  8. Repeat Step 4 to Step 7 to create rights for the following specific commands:

    !groupadd *
    !useradd *
    !groupdel *
    !userdel *