Managing Linux/UNIX Profiles

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

To manage Linux and UNIX users on the Delinea Platform, you need user profiles for them. A Linux/UNIX user profile consists of the attributes required by the name service switch (NSS) facility on Linux and UNIX computers.

Linux/UNIX user profiles on the Delinea Platform are created in the following ways:

• Delinea Platform creates user profiles for Linux/UNIX users automatically when a user (or a user group) is added to the Subject part of a policy, and the Target of the policy is a Linux or UNIX machine. If the user does not already have a Linux/UNIX profile, Delinea Platform generates one, using the attributes in the default provisioning rule. See Default Provisioning Rule.

• You can import Linux/UNIX profiles. See Importing Linux/UNIX User Profiles.

• You can also create user profiles manually. See Creating a Linux/UNIX User Profile Manually.

Permissions Required

To work with Linux/UNIX user profiles, you need the appropriate permissions.

If you have the Platform Admin role, you can perform all tasks related to Linux/UNIX user profiles. For information about this role, see Roles and Permissions.

If you do not have the Platform Admin role, your user account must have one or more of the following task-specific permissions, depending on what you want to do:

• Create Linux User Profile

• Update Linux User Profile

• Delete Linux User Profile

• Read Linux User Profile

For more information about these permissions, see Platform Permissions.

Default Provisioning Rule

To make it easier to add Linux/UNIX user profiles, Delinea Platform provides a default provisioning rule. The default provisioning rule gives values for Linux/UNIX user profile attributes. See Linux/UNIX Profile Attributes.

The attribute values in the default provisioning rule are automatically generated and, in most cases, you can accept the default values. However, you can also override the default values for a given user either globally or on specific machines. The rest of this topic describes how.

Linux/UNIX Profile Attributes

A user must have a complete profile with all of the required attributes defined to be recognized as a valid user on a specific computer. These are the same attributes you would define locally for Linux and UNIX users in the /etc/passwd file.

Attribute	Default value
DNS computer name	(Optional) If not specified, this is a global profile. If specified, the values in this profile apply only on the given computer; see Overriding Linux/UNIX User Profiles on Computers. If the DNS computer name is provided, it must be present in the computers inventory on the platform. See Inventory.
Username	Active Directory name or User Principal Name (UPN). This name must be unique, and can not be changed after the user profile is created. Example: jfranklon@JFLAB.VMS User names can consist of letters, numbers, hyphens, underscores, periods and dashes. Some operating environments may have additional restrictions. For example, some operating environments do not support user names that are longer than 8 characters, and some require the first character of the user name to be alphabetic. Because UNIX user names typically use only lowercase characters, the default user profile name displayed follows this convention. If you modify the default profile name and include uppercase characters, keep in mind that the proper case must be used when entering the user name. For compatibility with Samba, the dollar sign ($) can also be used at the end of the user name. In general, other special characters, such as ! and &, are not supported.
Login name	The Active Directory user logon name associated with the Active Directory account. Example: james
UID	A unique identifying number. Delinea Platform automatically generates a unique user ID number based on the globally unique identifying number (GUID) for the Active Directory user.
GID	An automatically generated unique numeric identifier that represents a private primary group that the user belongs to. Can be the same as the user's default UID. Private groups are not stored or managed in Active Directory.
GECOS	A runtime variable that resolves to the Active Directory displayName attribute associated with the Active Directory account.
Home directory	A runtime variable that specifies the default home directory when resolved locally on a computer. The home directory is automatically constructed from two variables representing the home directory and username.
Shell	A runtime variable that specifies the default login shell when resolved locally on a computer. Sets the user's shell to the default shell defined for this computer. Example: bash

Viewing Linux/UNIX User Profiles

To view a list of all the Linux/UNIX user profiles currently defined in your platform tenant, use the Search bar to find the User Profiles page, or select Access > Linux/Unix profiles > User profiles.

A list screen appears that shows the profile attributes for every Linux/UNIX user profile on the platform.

In addition to the required attributes described in Linux/UNIX Profile Attributes, this screen also shows a Type column. If the value in the Type column is Global, the row shows the global profile settings that have been defined for the user. If the value is Computer, the row shows settings that apply only when the user logs in to the computer shown in the DNS Computer Name column.

Modifying Default Provisioning Rule for Linux/UNIX Users

When Linux/UNIX user profiles are created automatically by the platform or manually by a platform user, the profile attributes are filled in using the default provisioning rule.

To change the rule:

1. Open the User Profiles page. Use the Search box to find it, or select Access > Linux/User Profiles > User profiles.

2. Select the tab Default provisioning rule.

3. In this screen, you can edit some of the fields:

   • Login name - The name that the user will type at the command line to log in can be modified.

     The profile's login name can be modified, but not the Username.

   • GECOS - Display name.

   • Shell - From the dropdown list, choose the command-line interpreter (shell) that is to be used by default: bash, ksh, and so on.

4. Click Save.

Importing Linux/UNIX User Profiles

You can create or update Linux/UNIX profiles for Delinea Platform users by doing a bulk import from Active Directory. The platform provides an import wizard for this purpose. The wizard accepts a comma-separated value (CSV) file with the user profile data and uses it to create user profiles on the platform.

For the import to work, the following prerequisites must be in place:

• Connector must be installed and the platform connected to the external Active Directory instance that contains the existing users.

• Command Relay must be installed so the imported users can be written to the platform's Active Directory.

Creating the CSV File

You can create the CSV file that provides input to the Linux/UNIX user import wizard in two different ways:

• Create the CSV file manually. Download the template CSV file from the first page of the import wizard. The template shows which fields you need to specify for each user profile. See Running the Import Wizard.

• Export user profiles in CSV format. See Exporting Linux/UNIX User Profiles.

In the CSV file, follow these guidelines:

• The maximum number of users that can be imported at one time is 1,000.

• When specifying new UID values, it is not recommended to use 0 through 999, because these UID values might collide with system accounts.

If you import new Linux/UNIX profiles for users with existing profiles, any UID change causes those users to lose access to their previous home directory.

Running the Import Wizard

To bulk import Linux/UNIX profiles and create user accounts for the profiles:

1. Open the Linux/UNIX User profiles page. (Use the Search box to find it, or choose Access > Linux/Unix profiles > User profiles from the left navigation.)

2. Click Import user profile.

3. Prepare the CSV file. Click Download template and fill in the information for each user using the provided columns.

   Be sure to follow the guidelines in Creating the CSV File.

4. Click Select file. Locate and select the CSV file that contains the profile information.

5. Click Next.

   The import wizard compares the CSV file to Active Directory and displays a status screen with a sample of the profiles to be imported. If any errors are found, the wizard lists them in this screen.

6. If needed, fix any errors in the CSV file and start again. You can choose to ignore the errors and import only the users who passed the validity check.

7. When you are ready, click Proceed.

8. Click Import.

   If any of the user profiles already exist on the platform, a popup is displayed with a list of the duplicates. Select the checkboxes next to the profiles you want to overwrite with the new profile data. Deselect the checkboxes next to any profiles you want to preserve as is. Click Confirm.

   When the import is complete, a summary window is displayed to show the results.

9. If desired, click Download CSV Summary to get a report of the import results. If the import skipped any profiles because of errors, the report lists them, and you can review the details in the CSV file.

Exporting Linux/UNIX User Profiles

You can export Privilege Control for Servers (PCS) user profiles from Active Directory to get their global profiles so you can import them into your Delinea Platform instance.

Prerequisites:

• PowerShell modules for Server Suite and PowerShell modules for Active Directory Users and Computers must be installed. If you run the PowerShell script on the Delinea Engine server where the Command Relay is installed, these required PowerShell modules are already installed. See Command Relay Workload.

• User account that can read the DelineaZone within the Active Directory Delinea PlatformOU.

To export Linux/UNIX user profiles:

1. Log in to a computer that has the required PowerShell modules (recommended: the Delinea Engine server where Command Relay is installed) with a user account that can read the DelineaZone within the Active Directory Delinea PlatformOU.

2. Open Delinea Marketplace

3. Download the Delinea PCS Tools zip file.

4. In the zip file, find and unzip the PowerShell script export_profiles.ps1.

5. Run the script. In the -CsvFilePath parameter, give a name for the output file. For example:

   .\export_profiles.ps1 -CsvFilePath D:\export\export-profiles.csv 

Creating a Linux/UNIX User Profile Manually

You can add a Linux/UNIX user profile manually. This is especially useful if you want to assign profile attributes that are different from the default provisioning rule.

1. Open the User Profiles page. Use the Search box to find it, or select Access > Linux/User Profiles > User profiles.

2. Click Create user profile.

   The form Create manual user profile is displayed.

3. Click Select a user.

4. In the popup window, find and click the Active Directory user that you want to add.

   The user's username becomes the Username attribute.

   This attribute can not be changed once the new user is saved. To change it, you must delete the user profile and add it again.

   The Create manual user profile screen appears again, with the login name, UID, GID, GECOS, home directory, and shell automatically filled in based on the Default Provisioning Rule.

5. Change any of these values if desired.

6. When the settings are finished, click Create.

Overriding Linux/UNIX User Profiles on Computers

You can specify settings for Linux/UNIX user profiles that will apply only on a particular computer. This is useful when a user has a login name, UID, GID, shell, or home directory on this machine that is different from what the user would normally have, as set in the user's default global profile.

You can create a computer override by specifying the DNS name when importing users in bulk. See Importing Linux/UNIX User Profiles.

For users that already exist on the platform, you can specify a computer override as follows:

1. Select Inventory > Computers.

2. Pick a Linux or UNIX machine from the list of computers.

3. Click the tab Linux/Unix profile.

4. Access the profile override settings in one of the following ways:

   • Click Create Linux/Unix profile, or

   • Click any existing user in the list, then click Edit.

5. Change the settings as desired (except for the Username).

6. Click Save.