Create a role definition for running all commands

After you have defined the right to allow a user to run any command with root privileges, you can create a role definition for that right. You must create a role definition somewhere in the zone hierarchy before you can assign users to the role.

To create a role definition with the right to run all commands as root:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the role definition.
  3. Expand Authorization.
  4. Select Role Definitions, right-click, then click Add Role.
  5. Type a name and description for the new role, then click OK.

    For example, type a name such as root_equivalent and descriptive text such as Users with this role can run any command with root privileges.

    Optionally, you can select Allow local accounts to be assigned to this role if you want to assign both Active Directory users and local users to the role. This option is only available when you first create a role definition. You can also click Available Times if you want to limit when the role is available for use. By default, roles are available at all times.

    If you are using the UNIX Login role to grant access to computers in the zone and want to use the default auditing level of Audit if possible, you can click OK then skip to Step 8.

  6. If you are not assigning the UNIX Login role to grant access to computers, click the System Rights tab and select the following options:

    • Password login and non-password (SSO) login are allowed
    • Non-password (SSO) login is allowed
    • Login with non-Restricted Shell

    Note that you cannot set these system rights if you selected the option to allow local users to be assigned to this role.

  7. If you don’t want to use the default auditing level, click the Audit tab.

    • Select Audit not requested/required if you have the auditing service enabled but don’t want to audit user activity when this role is used.
    • Select Audit if possible to audit user activity where you have the auditing service enabled.
    • Select Audit required to always audit user activity. If the auditing service is not installed or not available, users in this role are not allowed to log on.
  8. Select the new role definition, right-click, then click Add Right.
  9. Select the right you defined for running all commands as root, then click OK.