Create an unrestricted shell role definition that uses the command rights

The command rights were configured to allow execution in either a restricted shell environment or an unrestricted shell environment. In an unrestricted shell environment—for example, the default shell environment when users are assigned the UNIX Login role—commands that require administrative privileges must be executed by first invoking the dzdo command, which is similar to invoking commands with sudo.

You can control whether users are required to enter a password or another form of authentication when they execute privileged commands using dzdo by setting one of the Re-authenticate options on the Attributes tab when you create a command right. By default, no password is required. If you were adding a new command right that requires re‑authentication, you would click the Attributes tab, then select Re-authenticate current user or Re-authenticate using target user’s password. For more information about these options, see Requiring re-authentication to run commands.

In most cases, the default of no password is appropriate because the user has been previous authenticated before invoking dzdo to execute a privileged command and the Re‑authenticate using target user’s password option requires the user to know the privileged account password. For example, if select this option and the run-as user is root, the user must know the password for the root account.

The steps for creating the role definition that includes the previously-defined command right are the same for the unrestricted shell as for the restricted shell except that, at Step 6 in the topic Create a restricted role definition for the service account, in the System Rights tab you would also select the Login with non-Restricted Shell option if you are not using the UNIX Login role. You could add all of the same command rights to the role definition and grant the same privileges and exceptions.

The primary difference between the two role definitions would be how users execute their privileged commands.

In the restricted shell environment, users running the adflush command requiring administrative privileges:

dzsh $ adflush

In the unrestricted shell environment, users running the adflush command requiring administrative privileges:

[tulo@ajax]$ dzdo adflush