Creating a Role Definition for a Shared Service Account

The root-equivalent role definition provides centralized management for a limited number of administrators who have permission to execute all commands on selected computers. Another common reason for defining a role is to execute privileged commands associated with a service account. In many organizations, service account passwords are known by multiple users, making them a security risk. For example, all of the database administrators in the organization might know the password for an oracle service account, an account with permission to perform privileged database operations. Because the password is shared information, it presents a security risk and a potential audit finding that might have costly consequences.

Setting up a role definition for a service account involves creating a command right for switching to the service account user and defining a PAM access right for role.

Define the Right for Switching to a Service Account

The steps for defining a right for switching to the service account user are similar to defining the rights for the root-equivalent user, but the definition is more restrictive.

To define a right for switching to a service account:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new command right.

  3. Expand Authorization > UNIX Right Definitions.

  4. Select Commands, right-click, then click New Command.

  5. On the General tab, type a name for this command right and, optionally, a description for this right, then define the right to switch to the service account.For example, if the service account is oracle:

    • Type su - oracle in the Command field.

    • Verify the Standard user path is selected.

  6. Click the Restricted Shell tab, under Can be used in a restricted role, select Specific user or uid, then type root.

  7. Click the Run As tab, deselect Can be used by dzdo.

    These settings specify that this right can only be used in a restricted shell environment and users can only run the commands that are explicitly allowed in the restricted role they are assigned. If this is the only right defined for a role, the only command users assigned to the role can run is su - oracle. For a role definition with this right to be effective, you would add command rights for the specific database operations users should be allowed to perform after switching to the oracle service account. For example, if the oracle service account is used to run a back up-all-dbs script, you would add a right to allow the execution of that script.

  8. Click OK to use the default environment variable settings and command attributes.

    Alternatively, you can click the Environment and Attributes tabs if you want to view or set additional properties for this right definition.

Define a PAM Access Right to Allow Logging On

The default UNIX Login role allows users to log on using a password or without a password in an unrestricted environment. If you are creating a role for a service account, you can use PAM access rights to control the specific commands users can use to log in. To illustrate controlling how users log on, this example of a restricted role for the oracle service account only allows users to log on with ssh.

To define a PAM access right for a specific application:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new PAM access right.

  3. Expand Authorization > UNIX Right Definitions.

  4. Select PAM Access, right-click, then click Add PAM Access Right.

  5. Type a name and, optionally, a description of the PAM application for which you are adding an access right.

    For the Application field, type the platform-specific name for the PAM application as defined in the PAM configuration file or PAM directory. For example, type ssh or sshd. You can also use wildcards in this field to perform pattern matching for the application name.

  6. Click OK to save the access right for this PAM-enabled application.

Create a Restricted Role Definition for the Service Account

After you have defined the rights that allow a user to log on using a PAM-enabled application and run the su - command for a service account, you can create a role definition for these rights. You must create a role definition somewhere in the zone hierarchy before you can assign users to the role.

To create a restricted role definition for switching to a shared service account:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new role definition.

  3. Expand Authorization.

  4. Select Role Definitions, right-click, then click Add Role.

  5. Type a name and description for the new role, then click OK.

    For example, type a name such as oracle_service and descriptive text such as Users with this role can start a secure shell session and switch to oracle.

    By default, this role is available at all times. You can click Available Times if you want to specify days of the week or select times of the day for making the role available.

  6. Click the System Rights tab and select at least one option that allow users assigned to this role definition to log on, then click OK.

    In this example, users open a secure shell to switch to the service account so you might select Non-password (SSO) login is allowed.

    If a service account instead of a user account is used to log on, it might be mapped to a disabled Active Directory account. In this case, you might select the Account disabled in AD can be used by sudo, cron etc system right to ignore the disabled state and allow the service account to log on.

  7. Select the new role definition, right-click, then click Add Right.

  8. Select the rights you defined for running the switch user (su -) command and logging on with the PAM application ssh, then click OK.

Assign an Active Directory Group to the Role

You should associate Delinea role definitions with Active Directory security groups so that you can manage them using the processes and procedures you have for managing Active Directory group membership. For example, create an Active Directory group named sanfrancisco_role_oracle. You can then assign the new role definition to that group.

To assign the role definition to an Active Directory group:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to assign the role definition.

  3. Expand Authorization.

  4. Select Role Assignments, right-click, then click Assign Role.

  5. Select the role definition you created for using secure shell and switching to the service account access, such as oracle_service, then click OK.

  6. Click Add AD Account to search for and select the Active Directory security group you created for the role definition.

    • Select Group as the object to find.

    • Optionally, type all or part of the group name.

    • Click Find Now.

      Select the group you created for the role in the results, then click OK.

  7. Click OK to complete the assignment.

Working in a Restricted Shell Environment

When users who are assigned to this role want to open a secure shell session and switch to the oracle service account, they will be placed in a restricted shell environment. Within the restricted shell, they can only execute the commands you have added to the role definition until they exit the restricted shell session. In this example, the role definition only allows users to log on using ssh and execute one command, su - oracle. If those users are also assigned the UNIX Login role, they will have access to an unrestricted shell when they close the restricted shell session.

If you want users who access a shared service account to work exclusively within the restricted shell environment, you must remove the UNIX Login role assignment in the zone or on the computer where they should only have restricted shell access. Before removing the UNIX Login role assignment, however, you should consider the trade-off between improved operational security and audit compliance and reduced operational access. Depending on the rights you add to a role that runs in a restricted shell environment, the restricted shell can dramatically limit what users can do.

Testing Access in a Restricted Shell

If you create a role definition for a shared service account that runs in a restricted shell environment, you should test it before migrating any users to it. You can use the dzinfo command with the --test option from a UNIX command prompt. For example, type dzinfo, the user name to test, the --test option, then the full path to the command to test:

dzinfo raejames --test “/usr/bin/su - oracle

You can also run the dzinfo command with the --roles option to see information about the rights defined for the current user or a specified user. For example, run the following command to check the roles and rights defined for the user raejames:

dzinfo raejames --roles

For more information about using this command, see the dzinfo man page.

What Users See in a Restricted Shell Environment

For users assigned to a role that runs in a restricted shell, logging on opens a dzsh shell. Within that shell users can only execute the commands you have explicitly defined for them. In this example scenario for a shared service account, typing su - oracle is the only allowed command. If the user types any other command, the shell reports that the command is not allowed.