Viewing Rights and Roles

Access Manager allows you to view the status and effective rights for any Active Directory user or local user in a zone, whether they have been assigned a role or not. You can view detailed information about the rights and role assignments for users by using Show Effective UNIX User Rights. If a user is not assigned a role or does not have a complete user profile, be certain to select the Show omitted users option, otherwise, information will not be shown for the user.

Local users are defined in Access Manager in the zone and are saved in /etc/passwd on each computer in each zone where the profile is defined. Local users that you define in the zone do not need to be Active Directory users. For more information about local users, including information that is required for a user profile to be complete, see Creating user profiles.

To view rights for an individual user in Access Manager

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to view rights and other account details.

  3. Right-click, then select Show Effective UNIX User Rights.

  4. Select a computer or click Browse if you want to limit the information included to a specific computer.

  5. Select Show AD users and Show local users as necessary, depending on which users you want to view. One or both of these choices might already be selected, depending on the location from which you originally selectedShow Effective UNIX User rights.

  6. Select Show omitted users to include users who have an incomplete profile or do not have a role assignment in the list of UNIX users.

    User information is displayed as shown in the following example. Key points about the information displayed are as follows:

    • Users with incomplete profiles are displayed in red (if Show omitted users is selected).

    • Local users are not required to have an AD name, resulting in a displayed AD Name value of N/A.

    • AD users are not required to have a UNIX profile, resulting in a displayed Profile State value of N/A.

    • For more information about the differences between AD users and local users, as well as details about profile states for local users, see Creating, modifying, and deleting user profiles for local users.

      Creating, modifying, and deleting user profiles

  7. Select a user to see more detailed information about the user’s profile, role assignments, and rights in the selected zone or on a specific computer:

    • Click Zone Profile to review the UNIX profile defined for a user and where the profile attributes are defined. If a user has an incomplete profile, you can click the Zone Profile tab to see which profile attributes are missing.

    • Click Role Assignments to review a user’s role assignments. The Object Assigned column indicates whether the role is explicitly assigned to the user (user@domain) or to a group the user is a member of(group@domain). The Location of Assignment column indicates the zone or computer role in which the assignment was made. Information for theStart Time, End Time, or both columns is only displayed if a role assignment has time constraints.

    • Click PAM Accesses to review the PAM application access rights for the user in the selected zone or on a specific computer, including the role to which the right belongs.

    • Click Commands to review the command access rights for the user in the selected zone or on a specific computer, including the role to which the right belongs.

    • Click SSH Rights to review the secure shell rights for the user in the selected zone or on a specific computer, including the role to which the right belongs.

  8. Click Close when you are finished reviewing user rights in a zone or on particular computers.

Checking Rights and Roles with the dzinfo Program

You can also view rights and roles for specific users or the current user by running the dzinfo command-line program on Delinea managed computers. If you want to use the dzinfo program to view roles and rights for other users, however, you must have root permission.

You can run dzinfo without any arguments to see your own rights and role assignments. The command displays detailed information about the your role assignments, the availability for each role assignments, your effective rights, the current audit level, and the specific PAM access, command, and secure shell rights you have been granted.

To see more detailed information, such as the days and times a role is available, you can use the --verbose option. For example, to see detailed information, you could type the following command:

dzinfo --verbose

To view roles and rights for a specific user:

  1. Log on or switch to root on a managed computer.

  2. Run the dzinfo command for a specific user with the username in the command line.

    dzinfo username

    For example, to see details about the rights and roles assigned to the user sonya, you could type the following command:

    dzinfo sonya

If rights and role assignments have been configured for the specified user, the command displays detailed information about the user’s role assignments, the availability of those role assignments, the user’s effective rights, the audit level in effect, and the specific rights that have been granted.

You can also use the dzinfo program to test whether a user has the right to run specific commands. For more information about using dzinfo and the dzinfo command line options, see the dzinfo man page.