Converting sudoers aliases and user specifications

Before you convert the sudoers file aliases and user specifications to rights, role definitions, and role assignments, be certain that you have imported all the users and groups specified in the sudoers file into Active Directory, and that you have added them to the zone in which you are imported the sudoers file. If there are users and groups without a profile in the zone when you attempt to convert the user specifications from the imported sudoers file into role assignments in Access Manager, the conversion will fail.

In addition, keep in mind that the role definitions and assignments you create from sudoers specifications do not contain any UNIX system rights or PAM access rights. You can assign those rights through other roles, such as the predefined UNIX Login role, or you can add system rights and PAM access rights to the role definitions after you create them from the sudoers specifications.

Within each item are objects for the sudoers definitions that were imported. For example, within User Alias are alias definitions, each one of which contains the user accounts defined for that alias.

Each type of information from the sudoers file converts to a different type of authorization information in the Centrify zone. You do not need to convert all of the imported aliases. You can simply ignore or delete aliases that are obsolete or no longer relevant.

Converting user aliases

On Linux and UNIX computers, a user alias in the sudoers file defines a set of users without creating a group. When you convert a user alias specification to be used in a zone, however, it becomes an Active Directory group. Assigning users to groups simplifies user management because if users change roles or leave the company, you can simply remove their group membership, without deleting their accounts, and effectively, they no longer have access to the roles assigned to members of the group.

You can create a new Active Directory group from the user alias you imported or map the imported alias to an existing Active Directory group.

To create a new Active Directory group from a user alias

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.

  3. Expand Authorization and Sudoers, then select User Alias.

  4. Select the alias name, right-click, then select Create AD Group.

  5. Verify the container location, or click Browse to select a different container, then click Next.

  6. Verify the group name, which defaults to the alias name, optionally, add a prefix or suffix, and select the scope for the group, then click Next.

  7. Review the group and group membership information displayed, then click Next.

    If there are any warnings or errors displayed, you must fix the errors before continuing. If only warning are displayed, you can continue to createthe group. For example, if the user alias has members that don’t have a corresponding Active Directory account, you can continue creating the group.

  8. Review information about the new Active Directory group, then click Finish to create the group.

To map a user alias to an existing group

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.

  3. Expand Authorization and Sudoers, then select User Alias.

  4. Select the alias name, right-click, and select Map to AD Group.

  5. Select Remove original AD group membership or cancel the selection depending on whether you want to keep the current members of the group when adding the users from the alias definition.

    If you select this option, the wizard removes the existing members of the group when adding the new members. If you do not select this option, the wizard adds the new members to the existing members.

  6. Click Browse, then enter search criteria to identify the group and click Find Now.

  7. Select the name of the group and click OK.

    The wizard imports the users defined by the alias into the specified Active Directory group. It also issues a warning message that it can’t import users who are defined by the alias but who are not defined in Active Directory.

Viewing run-as aliases

A run-as alias defines a group of one or more users who other users are able to run commands as. Select and double-click the alias name to expand it and see the users who are defined for it. You cannot directly import run-as aliases. However, if a user specification includes a run-as alias, you can view the run-as definition in the Runas Alias node, and import the commands defined in the specification. For more information about user specifications, see Converting user specifications.

Converting host aliases

Host alias definitions are popular in centralized sudoers files because they allow you to assign privileges to groups of computers rather than managing privileges on an individual computer and file basis. They convert naturally to computer roles, which also assign privileges to groups of computers.

When you convert a host alias to a computer role, the wizard creates a new computer role, creates an Active Directory group that contains the computers defined in the host alias, and adds these computers to the new computer role. Because the computer role group is an Active Directory group, the computers can span multiple zones and include computers that are joined to different zones. To complete the computer role definition, you must add the appropriate user role assignments, which specify what specific users and groups in different role definitions are allowed to do on the computers included in the computer role group.

To create a computer role from a host alias

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.

  3. Expand Authorization and Sudoers, then select Host Alias.

  4. Select the alias name, right-click, then select Create Computer Role.

  5. Click Next to accept the location for the group of computers, or change the location, then click Next.

  6. Verify or change the group name, optionally, add a prefix or suffix, and select the scope for the group, then click Next.

  7. Review the group and group membership information displayed, then click Next.

  8. Review information about the new Active Directory group for computers, then click Finish to create the group and the new computer role.

    If the computer accounts exist in Active Directory, the computers defined in the host alias are automatically added to the new Active Directory computer group and to the “Members” node of the new computer role.

  9. Expand Authorization, Computer Roles, and the computer role name.

  10. Select Role Assignments, right-click, and click Assign Role.

  11. Select the role and click OK.

  12. Click Add AD Account.

  13. Select User or Group, enter search criteria, then click Find Now to search for and elect the user or group, then click OK.

  14. Select the appropriate user or group from the result, then click OK to complete the user role assignment.

Viewing command aliases

You can select the Command Alias sub-node to view the command aliases that were imported from the sudoers file. You can’t edit or delete the command aliases. The information is displayed for your reference. You can assign the command aliases listed role definitions, role groups, and computer roles when you convert the user specifications imported from the sudoers file.

Converting user specifications

In the sudoers file, user specifications make use of the alias definitions to assign commands and privileges to users. After you import the sudoers file, you can convert the user specifications into role assignments.

To convert user specifications to role definitions and role assignments

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.

  3. Expand Authorization and Sudoers, then select User Specifications.

  4. Select the name of a user specification, right-click, then select Import.

  5. Review the list of commands to be created, then click Next.

  6. Verify the name of the role definition name to be created, then click Next.

    By default, the role definition is named Role_n. You can change it after it is created.

  7. If the user or group defined in the imported user specification is not found in the zone, the role assignment to be created is displayed and you can click Next, then click Finish.

    If the user or group defined in the imported user specification is not found in the zone, the role assignment will fail and the role displays an error (Error). Click Cancel to exit the wizard and add the user or group to Active Directory and the zone.

    Importing a user specification will fail if the user or group defined in the user specification is not found in the zone or if no computers are defined for the host alias in the user specification are found in the zone.

  8. Rename the role definition by expanding Authorization and Role Definitions.

    • Select the new role definition, for example, Role_2.

    • Right-click, then select Rename

    • Type a new name for the role definition.

The role definitions you create from a sudoers specification do not contain the UNIX system rights or PAM access rights. You can assign these rights through a separate role assignment or by add the appropriate UNIX system rights and PAM access rights to the new role definitions.

Removing imported sudoers information

Once you have validated the conversion of imported sudoers file information, you can purge the sudoers information from Access Manager.

To purge sudoers information

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name into which you imported the sudoers file.

  3. Expand Authorization, then select Sudoers.

  4. Right-click, then select Purge.

    The Sudoers node and sub nodes are removed from Access Manager.

Mapping sudo to dzdo

To execute privileged commands users must type dzdo and the command name. If you want, you can map sudo to dzdo, which allows your users, who are accustomed to using sudo to execute their privileged commands, to continue to type sudo commandName. If the user has a role assignment that allow him to execute the command in an unrestricted shell, the command is executed using dzdo commandName. To map sudo to dzdo on computers in your organization, you can enable the “Replace sudo by dzdo” group policy for a site, domain, or organizational unit.

For more information about working with group policies, see the Group Policy Guide.