Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-34632: Configuring a "su-only" Role with Access Manager

Authentication Service ,  

22 May,20 at 06:08 PM

Question:
  
How can an Active Directory account be configured such that the account does not have login rights to a target machine, but other accounts are allowed to "su" to this account?

  
Answer:
  
In this example, the su-only account is a service account named cfy-srv-account.

1) In Access Manager, create the user profile in the desired zone for cfy-srv-account.

2) Create the PAM Access Right.  In this example, the right is named "su-only".
 
Access Manager -> <Go to the Zone> -> Authorization -> Unix Right Definitions -> PAM Access -> Add PAM Access Right
 
User-added image
  

3) Create a Role Definition that has this right.  It must also have a login system right and "user is visible" right.  In the example, the Role is named "su only"
 
Access Manager -> <Go to the Zone> -> Authorization -> Role Definitions -> Add Role
 
User-added image

 
User-added image


4) Add the "su-only" right that was created in Step 1 to the "su only" Role
 
User-added image
  

5) Assign the role to the target service user, cfy-srv-account.
 
User-added image
  

6) Be sure to flush the cache on the target machine to see the changes
 
Before the role assignment, root cannot su to user "cfy-srv-account"

User-added image

  
After the role assignment, root CAN su to cfy-srv-account

User-added image

  
User cfy-srv-account cannot login over ssh

User-added image

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7048: Configuring a Privileged Role to Access a Resource on the Domain Controller articleKB-12797: How to use the Centrify PowerShell Module to Automate Access and Privilege Operations articleConfiguring Cloudera Manager External Authentication with Centrify (Part One) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? article[HOWTO] Configure Centrify Authentication Service with an AWS Managed Microsoft Active Directory articleConfiguring Centrify Platform for Radius MFA Using Symantec Validation and Identity Protection article[Labs] Setting-up an AWS Test Lab for Centrify