Creating a Root-Equivalent Role Definition

Most organizations require at least one root user role definition that is equivalent to specifying ALL:ALL in a sudoers file or giving users access to the root password on their computers. The purpose of this role definition is to allow selected users to execute privileged commands on a regular basis. The role definition allows them to execute commands without being given the root password or having privileges hard-coded in individual sudoers files on multiple computers.

Because this role definition enables system administrators to execute privileged commands without the root password, you can improve security for the organization and reduce the chance of an audit finding for access to the root password.

You can create this role definition in a parent zone or a child zone to control its scope. In most cases, you should only assign the role in a child zone or on an individual computers.

Define the Right for Running All Commands

Rights and roles are defined at the zone level and inherited down the zone hierarchy. If you define a right in the top-level zone, it is available in all child zones. If you define a right in a child zone, it can be used in that zone and any of its child zones. Similarly, you can define roles in the top-level parent or any child zone, depending on where you want to make the role available. In this example, the right to run all commands as the root user is defined in a top level parent zone.

The following instructions illustrate how to define a right for running all commands using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Delinea Windows API are available in other guides, the Delinea Software Developer’s Kit, or in community forums on the Delinea website.

To define a right for running all commands as root:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new command right.

    For this example, select the top-level parent zone so that this command right is available in all child zones.

  3. Expand Authorization > UNIX Right Definitions.

  4. Select Commands, right-click, then click New Command.

  5. On the General tab, type a name for this command right and, optionally, a description for this right, then define the right to run all commands like this:

    • Type an asterisk (*) in the Command field to indicate all commands are allowed.

    • Select Specific path and type an asterisk (*) in the field to indicate that any path is allowed.

  6. Click the Restricted Shell tab and deselect the Can be used in a restricted role option if you want to prevent this command from being used in a role that uses a restricted shell environment.

  7. Click the Run As tab to verify the command can be used with dzdo and is set to run as root by default.

  8. Click OK to use the default environment variable settings and command attributes.

    Alternatively, you can click the Environment and Attributes tabs if you want to view or set additional properties for this right definition.

Create a Role Definition For Running All Commands

After you have defined the right to allow a user to run any command with root privileges, you can create a role definition for that right. You must create a role definition somewhere in the zone hierarchy before you can assign users to the role.

To create a role definition with the right to run all commands as root:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the role definition.

  3. Expand Authorization.

  4. Select Role Definitions, right-click, then click Add Role.

  5. Type a name and description for the new role, then click OK.

    For example, type a name such as root_equivalent and descriptive text such as Users with this role can run any command with root privileges.

    Optionally, you can select Allow local accounts to be assigned to this role if you want to assign both Active Directory users and local users to the role. This option is only available when you first create a role definition. You can also click Available Times if you want to limit when the role is available for use. By default, roles are available at all times.

    If you using the UNIX Login role to grant access to computers in the zone and want to use the default auditing level of Audit if possible, you can click OK then skip to Step 8.

  6. If you are not assigning the UNIX Login role to grant access to computers, click the System Rights tab and select the following options:

    • Password login and non-password (SSO) login are allowed

    • Non-password (SSO) login is allowed

    • Login with non-Restricted Shell

      Note that you cannot set these system rights if you selected the option to allow local users to be assigned to this role.

  7. If you don’t want to use the default auditing level, click the Audit tab.

    • Select Audit not requested/required if you have the auditing service enabled but don’t want to audit user activity when this role is used.

    • Select Audit if possible to audit user activity where you have the auditing service enabled.

    • Select Audit required to always audit user activity. If the auditing service is not available, users in this role are not allowed to log on.

  8. Select the new role definition, right-click, then click Add Right.

  9. Select the right you defined for running all commands as root, then click OK.

Assign an Active Directory Group to the Role

You should associate Delinea role definitions with Active Directory security groups so that you can manage them using the processes and procedures you have for managing Active Directory group membership. For example, create an Active Directory group named sanfrancisco_role_rootequivalent. You can then assign the new role definition to that group.

To assign the role definition to an Active Directory group:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to assign the role definition.

  3. Expand Authorization.

  4. Select Role Assignments, right-click, then click Assign Role.

  5. Select the role definition you created for root-level access, such as root_equivalent, then click OK.

  6. Click Add AD Account to search for and select the Active Directory security group you created for the role.

    • Select Group as the object to find.

    • Optionally, type all or part of the group name.

    • Click Find Now,

      Select the group you created for the role in the results, then click OK.

  7. Click OK to complete the assignment.