Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-34632: Configuring a "su-only" Role with Access Manager

Authentication Service ,  

22 May,20 at 06:08 PM

How can an Active Directory account be configured such that the account does not have login rights to a target machine, but other accounts are allowed to "su" to this account?

In this example, the su-only account is a service account named cfy-srv-account.

1) In Access Manager, create the user profile in the desired zone for cfy-srv-account.

2) Create the PAM Access Right.  In this example, the right is named "su-only".

Access Manager -> <Go to the Zone> -> Authorization -> Unix Right Definitions -> PAM Access -> Add PAM Access Right
User-added image

3) Create a Role Definition that has this right.  It must also have a login system right and "user is visible" right.  In the example, the Role is named "su only"
Access Manager -> <Go to the Zone> -> Authorization -> Role Definitions -> Add Role
User-added image

User-added image

4) Add the "su-only" right that was created in Step 1 to the "su only" Role
User-added image

5) Assign the role to the target service user, cfy-srv-account.
User-added image

6) Be sure to flush the cache on the target machine to see the changes
Before the role assignment, root cannot su to user "cfy-srv-account"

User-added image

After the role assignment, root CAN su to cfy-srv-account

User-added image

User cfy-srv-account cannot login over ssh

User-added image