Assigning the UNIX Login Role

The predefined UNIX Login role allows Active Directory users to log on to Delinea managed computers using any PAM enabled application—such as login, ssh, or ftp—with a default shell and permission to execute the same set of commands available to any standard UNIX user account. By default, the UNIX Login role is configured to take effect immediately and never expire. By default, the UNIX Login role is also configured to audit user activity if the auditing service is running on a computer users access.

The default settings are appropriate for most Linux and UNIX users in most organizations. However, you can change any of the default settings in either a parent or a child zone, if needed.

What to Do Before Assigning the UNIX Login Role

You can assign the UNIX Login role to all Active Directory users, to specific Active Directory users, or to specific Active Directory groups. Because the UNIX Login role is a predefined role, you cannot assign any local users to the role.

Before you assign the role, you should decide whether you want to assign and inherit the role from a parent zone or make the assignment in a specific child zone. You should also decide whether you want to specify optional start and end times for some role assignments.

Rights Required for This Task

The following table describes the minimum rights that must be granted for users to successfully manage role assignments in a zone:

This target object	Requires these permissions	Applied to
Authorization	On the Object tab, select Allow for the following: List contents Read all properties Create all child objects Delete all child objects On the Properties tab, select Allow for the following: Write msDS-AzApplicationData	This object only
	On the Properties tab, select Allow for the following: Write displayName Write msDS-AzApplicationData Write msDS-TasksForAzRole Write msDS-MembersForAzRole	The msDS-AzRole object
AzRoleObjectContainer	On the Object tab, select Allow for the following: List contents Read all properties Create msDS-AzRole objects Delete msDS-AzRole objects	The msDS-AzApplication object and all child objects
	On the Properties tab, select Allow for the following: Write displayName Write msDS-AzApplicationData Write msDS-TasksForAzRole Write msDS-MembersForAzRole	The msDS-AzRole object
	On the Properties tab, select Allow for the following: Write msDS-AzApplicationData	The msDS-AzAdminManager object
AzOpObjectContainer	On the Object tab, select Allow for the following: Read all properties Create msDS-AzOperation objects Delete msDS-AzOperation objects Create msDS-AzRole objects Delete msDS-AzRole objects	This object only
	On the Properties tab, select Allow for the following properties: Write displayName Write msDS-AzApplicationData Write msDS-TasksForAzRole Write msDS-MembersForAzRole	The msDS-AzRole object
	On the Properties tab, select Allow for the following: Read name Read Name Write msDS-AzApplicationData Write name Write description	The msDS-AzOperation object

Who Should Perform This Task

A UNIX administrator who manages one or more zones most often performs this task, depending on your organization’s policies.

How Often You Should Perform This Task

In most organizations, you assign the UNIX Login role to target groups of users at a time during deployment and as needed, thereafter.

Steps for Completing This Task

The following instructions illustrate how to assign the UNIX Login role using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, AD Edit, or the Delinea Windows API are available in other guides, the Delinea Software Developer’s Kit, or in community forums on the Delinea website.

To assign users and groups to the UNIX Login role in a zone

1. Open Access Manager.

2. Expand Zones and the individual parent or child zones required to select the zone name where you want to make role assignments.

3. Expand Authorization.

4. Select Role Assignments, right-click, then click Assign Role.

5. Select the UNIX Login role definition from the list of roles, then click OK.

   By default, the role is set to start immediately and never expire. You can set a Start time, End time, or both start and end times for the role assignment. For example, if the role assignment applies to a contractor who will be hired for a specific period of time and you want to automatically disable the role after they finish the job and leave the organization, you can specify the start and end times when you assign the role.

6. Select whether the role assignment applies to all Active Directory accounts or specific accounts.

   If you want to automatically assign the role to every user added to the Active Directory forest or trusted forests, you can select All Active Directory accounts for convenience. This option is similar to selecting the “Authenticated Users” or “Everyone” system groups. For example, if you want to assign all Active Directory users the UNIX Login role by default, you can select this option. Only users who also have a complete UNIX profile will be able to log on to the UNIX computers joined to the domain.

   If you are assigning the role to specific accounts, click Add AD Accountto search for and select the Active Directory groups or users to assign to the role, then click OK.

7. Click OK to complete the role assignment.

What to Do Next

Verify Active Directory users or group members assigned the UNIX Login role can log on to Delinea-managed computers in the zone where you have made the role assignment.

Where You Can Find Additional Information

If you want to learn more about working with rights, roles, and role assignments, see the following topics for additional information:

• Defining rights to use commands

• Defining rights to use PAM applications

• Using secure shell session-based rights

• Creating and assigning custom role definitions