Question:
Users who are defined in Centrify Privileged Access Service (PAS) are allowed to login to Linux machines that are enrolled in the tenant.
How can those users also be given ability to execute privileged commands?
Answer:
The right to execute a privileged command can be given through the sudoers file. Before leveraging sudoers, the users must be
defined in a group known on the Linux machine. In this example, the users are combined into a PAS role, and the role is then made
visible on the Linux machine using a feature called Group Visibility.
The Linux machine is running the cagent (non-zoned) that is downloaded from the PAS tenant.
e.g.
1) Create a Role in PAS called: My CC Users
2) Add PAS users to the role. In the image below, both Active Directory (AD) users and PAS users are added to the role.
3) Make the role visible to the Linux machine using Group Visibility
Settings -> Enrollment -> Group Visibility
Add the Role: My CC Users
4) Do a check to make sure the Linux machine is in a set and that the set has member permissions so the "My CC Users" members
can login (The AgentAuth permission)
Resources-> Systems -> Sets -> My CC Systems
Resource -> Systems -> Sets -> my CC Systems -> Modify -> Member Permissions
5) On the Linux machine, cc-rhel7x64, the cloud information is refreshed with:
# cflush
The group can be seen with:
# getent group

6) With the group information available to the operating system, the sudoers files can be modified to give the users the ability to do privileged command via sudo. In this case, the spaces in the group name need to be "escaped" with backslashes, so they do not interfere with parsing. Here is the sudoers modification that gives all these users, all rights:
7) Test that one of the users, tink@centrify.com.720 can do a privileged command. In this case, tink will execute the command:
$ sudo cflush
Note: Once the group is visible on the Linux machine, any operation that needs a group can be implemented. This is just a single example granting permissions with sudo. But applications that use groups for authorization can also leverage this functionality