Default Access Rights and Roles

In addition to the predefined UNIX Login role that grants basic access to Delinea-managed computers during deployment, there are other predefined access rights and role definitions that are available by default in every zone. These other predefined rights and role definitions provide specialized access rights for specific scenarios that are common in Linux and UNIX environments.

Default PAM access rights

For Linux and UNIX computers, the following predefined PAM access rights are available:

  • login-all grants access to all PAM-enabled applications by specifying the asterisk (*) wild card for the application name. This right is included in the predefined UNIX Login role. You can add this right to any custom role to grant access to all PAM applications, such as login, ftp, ssh, telnet, and many others, without specifying them individually.

  • ssh grants access to secure shell sessions on Debian and Ubuntu 6 and 7 computers. By default, this access right grants users access to all secure shell applications and operations.

  • sshd grants access to secure shell sessions on all Linux and UNIX computers except Debian and Ubuntu 6 and 7 computers. By default, this access right grants users access to all secure shell applications and operations.

Default secure shell (SSH) access rights

Secure shell (SSH) access rights enable you to limit what users who are granted the PAM ssh or sshd right can do. These rights have no effect without the PAM ssh or sshd right. In addition, the default secure shell rights are only applicable for the Delinea-compiled version of OpenSSH.

For Linux and UNIX computers, the following predefined secure shell access rights are available:

  • dzssh-all grants access to all secure shell services.

  • dzssh-direct-tcpip allows local and dynamic port forwarding (ssh-L, ssh -D).

  • dzssh-exec allows command execution.

  • dzssh-scp allows secure copy (scp) operations.

  • dzssh-sftp allows secure file transfer (sftp) operations.

  • dzssh-shell allows secure terminal (tty/pty) connections.

  • dzssh-Subsystem allows an external subsystem except sftp subsystem which has its own right.

  • dzssh-tcpip-forward allows remote port forwarding (ssh -R).

  • dzssh-tunnel allows tunnel device forwarding.

  • dzssh-X11-forwarding allows X11 forwarding.

    Starting in the Server Suite 2023.1 release, the scp command's default protocol is now the sftp protocol. When scp uses the sftp protocol (the default) it is required to assign dzssh-sftp to the user. When the scp protocol specifies the -O option, it is required to assign dzssh-scp to the user.

Predefined role definitions

In addition to the predefined UNIX Login role, there are several predefined role definitions that are available by default in every zone. For Linux and UNIX computers, the following predefined role definitions are available:

  • listed makes a user profile visible in a zone but does not grant any type of access rights, PAM rights, or command rights. This is a specialized role that can be used when a user profile must exist for computers in a zone, but no local or remote access should be granted. For example, if a user owning files on a computer in a zone should no longer have access to the computers in the zone, you can assign the listed role so that the files continue to have an owner, but the user has no effective logon rights in the zone.

  • local listed makes a local user profile visible in a zone but does not grant any type of access rights. This is a specialized role that can be used when a user profile must exist for computers in a zone, but no user access should be granted. For example, if a user owning files on a computer in a zone should no longer have access to the computers in the zone, you can assign the listed role so that the files continue to have an owner, but the user still has no effective rights in the zone.

  • require MFA for login forces two-step authentication for access. This role does not grant access to any PAM applications but can be used in combination with the UNIX Login role to require users who are assigned to both roles to provide more than one form of authentication. You can also use this role with custom roles that grant access to specific applications if you want to require multi-factor authentication for those applications. You should note that using this predefined role definition requires additional configuration outside of Access Manager. For more information about what is required to support multi-factor authentication, see Requiring multi-factor authentication to log on.

  • Rescue - always permit login enables users to log on to computers if there are problems with the authentication, authorization, or auditing service that are preventing other users from logging on. For example, if auditing is required on a computer and the auditing service is not available, only users assigned to a role with the “rescue” system right will be able to log on.

  • scp grants secure copy (scp) access rights.

  • sftp grants secure file transfer (sftp) access rights.