Creating a role definition for temporary root access

Another common use case for role definitions occurs when you want to provide temporary access to privileged commands. For example, you might want to provide temporary root-level access to an application developer troubleshooting a problem on a production server or to a consultant you’ve hired for a specific period of time. These types of role definitions are often used as overrides on individual computers.

The steps for creating a role definition with temporary root access are similar to the steps for creating the other roles, except that you specify time constraints for the role. The time constraints might include specific hours of the day, days of the week, or a start and end time for a role assignment. The next sections summarize the steps for creating a role with temporary root-level access.

Define a Command that Allows Root Access

The steps for defining a right for switching to the root user are similar to defining the right to run commands for the root-equivalent user, but Delinea recommends you create a separate right definition for this case.

To create the right to switch to the root user:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new command right.

  3. Expand Authorization > UNIX Right Definitions.

  4. Select Commands, right-click, then click New Command.

  5. On the General tab, type a name, such as emergency_access, for this command right and, optionally, a description for this right, then define the right to switch to the root user:

    • Type the command for switching to the root user. For example, type su - root in the Command field.

    • Verify Standard user path is selected.

  6. Click the Restricted Shell tab and verify Can be used in a restricted role and User running the command are selected.

    These options enable you to use this command right in combination with other rights in a role definition that requires a restricted shell environment.

  7. Click the Run As tab and verify Can be used by dzdo and Any user are selected, then click OK.

    In most cases, you can leave the default settings for the other properties. If you want to make changes, click the Environment and Attributes tabs before saving the new command.

Create a Role Definition for Temporarily Running as Root

After you have defined the right to switch to the root user, you can create a role definition for that right.

To create a role definition with the right to run the emergency_access command:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new role definition.

  3. Expand Authorization.

  4. Select Role Definitions, right-click, then click Add Role.

  5. Type a name and description for the new role.

    For example, type a name such as emergency_access and descriptive text such as Users with this role can temporarily run commands with root privileges.

  6. Click Available Times to specify days of the week or select times of the day for making the role definition available.

    For example, you might want to allow access only on Friday, Saturday, and Sunday and deny access the rest of the week. After you have set the days and times for the role definition to be available, click OK.

  7. Click OK to save the role definition.

  8. Select the new role definition, right-click, then click Add Right.

  9. Select the emergency_access command you defined for switching to the root user, then click OK.

    To use this role, a user must be assigned to the UNIX Login role for the zone or a role definition that has at least one UNIX system right, such as Password login and nonpassword (SSO) login are allowed.

Assign the Role as a Computer-Level Override

In most cases, a role definition of this type is assigned to a specific computer rather than applied to all computers in a zone.

To make a role assignment on an individual computer:

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name that contains the computer for which you want to define a computer-level role assignment.

  3. Expand Computers, then select the specific computer on which you want to make a role assignment.

  4. Select Role Assignments, right-click, then click Assign Role.

  5. Select the role definition you created for temporary root access, such as emergency_access, then click OK.

  6. Click Add AD Account to search for and select the Active Directory user who should have temporary root access:

    • Leave User as the object to find.

    • Optionally, type all or part of the use name.

    • Click Find Now.

      Select the user in the results, then click OK.

  7. Deselect Start immediately and set a specific Start time for the role assignment.

  8. Deselect Never expire and set a specific End time for the role assignment.

  9. Click OK.

Verify the Role Assignment on the Computer

You can run dzinfo --roles or dzinfo username --roles to see if the emergency_access role is available based on the start time for the role definition and the local time of the Linux or UNIX computer.

At the specified start time for the role assignment on the local computer, the user you assigned to the emergency_access role can type the following command:

dzdo su - root

The user is not prompted to provide the password and becomes the root user on the local computer until the specified role assignment end time. The one caveat to be aware of is that the user would continue to have root access after the specified end time if the shell session remains open continuously. If a user is still logged on after the time period has expired, you should check whether the user still requires root-level access. If the session has remained open but the user should no longer have root access, kill the session and log the user off.