Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-16425: Using Group Visibility to Allow PAS Users to Execute Privileged Commands

Privileged Access Service ,  

26 June,19 at 07:36 PM

Users who are defined in Centrify Privileged Access Service (PAS) are allowed to login to Linux machines that are enrolled in the tenant. 
How can those users also be given ability to execute privileged commands?

The right to execute a privileged command can be given through the sudoers file.  Before leveraging sudoers, the users must be
defined in a group known on the Linux machine.  In this example, the users are combined into a PAS role, and the role is then made
visible on the Linux machine using a feature called Group Visibility. 
The Linux machine is running the cagent (non-zoned) that is downloaded from the PAS tenant.

1) Create a Role in PAS called:  My CC Users

2) Add PAS users to the role.  In the image below, both Active Directory (AD)  users and PAS users are added to the role.
User-added image
3) Make the role visible to the Linux machine using Group Visibility
Settings -> Enrollment -> Group Visibility
User-added image

Add the Role:  My CC Users
4) Do a check to make sure the Linux machine is in a set and that the set has member permissions so the "My CC Users" members
can login (The AgentAuth permission)
Resources-> Systems -> Sets -> My CC Systems
User-added image
Resource -> Systems -> Sets -> my CC Systems -> Modify -> Member Permissions

User-added image
5) On the Linux machine, cc-rhel7x64, the cloud information is refreshed with: 
# cflush
The group can be seen with: 
# getent group
User-added image

6) With the group information available to the operating system, the sudoers files can be modified to give the users the ability to do privileged command via sudo.  In this case, the spaces in the group name need to be "escaped" with backslashes, so they do not interfere with parsing.  Here is the sudoers modification that gives all these users, all rights:
User-added image

7) Test that one of the users, can do a privileged command.  In this case, tink will execute the command:
$ sudo cflush

User-added image
Note: Once the group is visible on the Linux machine, any operation that needs a group can be implemented.  This is just a single example granting permissions with sudo.  But applications that use groups for authorization can also leverage this functionality