Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-16425: Using Group Visibility to Allow PAS Users to Execute Privileged Commands

Privileged Access Service ,  

26 June,19 at 07:36 PM

Question:
  
Users who are defined in Centrify Privileged Access Service (PAS) are allowed to login to Linux machines that are enrolled in the tenant. 
How can those users also be given ability to execute privileged commands?

Answer:
  
The right to execute a privileged command can be given through the sudoers file.  Before leveraging sudoers, the users must be
defined in a group known on the Linux machine.  In this example, the users are combined into a PAS role, and the role is then made
visible on the Linux machine using a feature called Group Visibility. 
The Linux machine is running the cagent (non-zoned) that is downloaded from the PAS tenant.

e.g.
1) Create a Role in PAS called:  My CC Users

2) Add PAS users to the role.  In the image below, both Active Directory (AD)  users and PAS users are added to the role.
  
User-added image
  
 
3) Make the role visible to the Linux machine using Group Visibility
 
Settings -> Enrollment -> Group Visibility
  
User-added image

Add the Role:  My CC Users
  
4) Do a check to make sure the Linux machine is in a set and that the set has member permissions so the "My CC Users" members
can login (The AgentAuth permission)
 
Resources-> Systems -> Sets -> My CC Systems
  
User-added image
  
Resource -> Systems -> Sets -> my CC Systems -> Modify -> Member Permissions
 
User-added image
  
  
5) On the Linux machine, cc-rhel7x64, the cloud information is refreshed with: 
  
# cflush
 
The group can be seen with: 
 
# getent group
  
User-added image

  
6) With the group information available to the operating system, the sudoers files can be modified to give the users the ability to do privileged command via sudo.  In this case, the spaces in the group name need to be "escaped" with backslashes, so they do not interfere with parsing.  Here is the sudoers modification that gives all these users, all rights:
  
User-added image

    
7) Test that one of the users, tink@centrify.com.720 can do a privileged command.  In this case, tink will execute the command:
 
$ sudo cflush

User-added image
 
Note: Once the group is visible on the Linux machine, any operation that needs a group can be implemented.  This is just a single example granting permissions with sudo.  But applications that use groups for authorization can also leverage this functionality
  
  

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleCentrify 21.2 Release Notes articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleCentrify 21.1 Release Notes articleCentrify 20.7 Release Notes