Centrify recommends that you create the role definition for a service account in the appropriate child zone. If you want to make the role definition available in all child zones, however, you can create it in the parent zone. The specific selections you make for the role depend on the requirements of the service account for which you are creating the role definition. The steps described here provide general guidelines. Other settings may apply for the role definition in your organization.
To create a new role for a service account:
- Start Access Manager.
- In the console tree, expand Zones and the top-level parent zone.
- Select the specific zone for which you want to define a role, and expand Authorization.
- Select Role Definitions, right-click, then click Add Role.
- On the General tab, type a name and description for the new role, then click OK.
Click the System Rights tab and select the following options that allow the service account to access UNIX computers using SSH keys or Kerberos, then click OK:
- Non-password (SSO) login is allowed
- Account disabled in AD can be used
- Login with non-restricted shell
In most cases, you should select the Login with non-restricted shell option. This option enables the service account to execute all of its commands in a standard shell. To have the service account run in a restricted shell, you must be able to identify and define rights for all of the commands that the service runs. The service account must also be able to execute all of its commands within the restricted shell (dzsh) environment. For most organizations, this additional security requires significant research and testing before it can be implemented. However, forcing a service account to run in a restricted shell reduces the likelihood that a compromised service account could be used to attack computers on the network.
- Select the new role, right-click, then click Add Right.
Select the login-all right for the zone, then click OK.
This predefined right grants access rights for all PAM applications. If you determine that a specific service account should only use a specific PAM application, such as SSH or FTP, you can define a right that only allows that application to be used, then select that right in the role definition to specify that the service account must use the selected PAM application for access.