Create a restricted shell role definition that uses the command rights

After you have defined all of the command rights that disallow specific commands, you can create one or more role definitions to use those rights. For example, you might create one role definition to run in an unrestricted shell that requires users to invoke dzdo to execute privileged commands and another role definition that runs in a restricted shell but does not require users to execute privileged commands using dzdo. The second role might be useful if you have existing scripts that would have to be modified if invoking dzdo is required.

To create a role definition for specific command rights:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new role definition.
  3. Expand Authorization.
  4. Select Role Definitions, right-click, then click Add Role.
  5. Type a name and description for the new role.

    For example, type a name such as operators and descriptive text such as Users with this role can run privileged commands but not reset passwords, add or delete users and groups.

  6. Click System Rights if you want this role definition to be used in a restricted shell environment as a replacement for the predefined UNIX Login role.

    To use this role, a user must be assigned to a role definition that has at least one UNIX system right, such as Password login and non‑password (SSO) login are allowed or Non‑password (SSO) login is allowed.

  7. Click OK to save the role definition.
  8. Select the new role definition, right-click, then click Add Right.
  9. Select all of the command right that disallow specific operations, the command right that grants access to all remaining commands, and a PAM access right, then click OK.

    For example, you might add the following previously-defined command rights to this role definition:

    No password resets
    No user adds
    No group adds
    No user deletes
    No group deletes
    Root like access (* for all commands not explicitly disallowed)
    PAM ssh/login allowed

    This role definition allows members of the operators role to execute any command within a restricted shell environment except those explicitly disallowed, including privileged commands, without invoking dzdo first. You can assign the role definition to the appropriate Active Directory users or groups like the previous role definitions.