Defining a command right and a new role
You are now ready to define a new privileged command right that uses the asterisk (*) wild card to give the user the equivalent of all commands, all paths, and all hosts in the sudoers file. In a production deployment, you would define more specific sets of privileged commands and run them using accounts with no restricted access than the root user.
To create new UNIX right definition for the administrative role
Create a new privileged command using Access Manager.
- Expand the Authorization node under the Headquarters zone, then expand UNIX Right Definitions and select Commands.
- Right-click then select New Command. For this example, you will only set information on the General tab.
- Type a command name and description, for example root_any_command and All commands, all paths, all hosts.
- Type an asterisk (*) in the Command field to match all commands.
- Leave the default setting for Glob expressions.
- Select the Specific path options and type an asterisk (*) to match all command paths, then click OK.
You now have a root_any_command that grants privileges to run any command in your role definitions. In the next steps, you create a role that will give members of the EnterpriseUnixAdmins group the root_any_command privileges.
To create and assign the UNIX administrators role
Create a new role definition using Access Manager.
- Expand the Authorization node under the Headquarters zone, select Role Definitions, right-click, then select Add Role.
- Type a role name (UnixAdminRights) and a description (Set of rights for UNIX administrators) for the new role.
- Click the System Rights tab and select all of the UNIX rights and the Rescue right.
- Click the Audit tab and select Audit if possible, then click OK.
Add the root_any_command and several default rights to the new role.
Assign the UnixAdminRights role to the enterprise UNIX administrators group using Access Manager.
- Expand the Authorization node under the Headquarters zone, select Role Assignments, right-click, then select Assign Role.
- Select the UnixAdminRights role and click OK.
- Click Add AD Account.
- Change the object to Find from User to Group, then search for and select the EnterpriseUnixAdmins group, then click OK.
- Click OK to complete the role assignment.