Improving Security: Access and Privilege Management

Delinea provides its identity management, access control, and privilege management features for Linux and UNIX computers through a combination of features provided by Access Manager and by the Delinea Agent on the computers you want to manage.

You can install Access Manager and related management tools on one or more Windows computers. For example, the central console for performing most identity management, access control, and privilege management tasks is Access Manager. From Access Manager, you can perform all of the following common administrative tasks:

  • Define and manage identity attributes for the Active Directory users who

    need access to Linux and UNIX computers.

  • Import and migrate UNIX users, groups, and network information from local

    configuration files and NIS maps.

  • Define and manage rights that allow users to run command-line programs, PAM

    applications, and secure shell operations.

  • Select rights to create role-based access control role definitions and

    assign those roles to the appropriate users and groups.

  • Delegate administrative tasks and control the specific permissions granted

    to users who are managing the computers in your organization.

For example, you can use Access Manager to delegate specific administrative tasks—such as the ability to add and remove users or assign roles—to a particular user or group. As an administrator, you can also use Access Manager to configure roles that have specific start and expiration dates or that limit the availability of a role to specific days of the week or hours of the day. You can use zones in combination with rights and roles to restrict or grant access to specific Linux and UNIX computers in your organization.

Through the use of zones and roles, Delinea provides granular control over who can do what, and control over where and when those users should be granted elevated privileges.

Consolidating User Account Information

Delinea enables you to consolidate all of your user and group account information in a single repository. By consolidating user account information, you can improve IT efficiency and overall operational security. For example, you can automate the provisioning of new accounts and the elimination of accounts that are no longer used without changes to your existing infrastructure or processes.

A single repository also enables you to establish consistent password policies for all of the computers you manage. For example, you can enforce consistent rules for password complexity and minimum length for all users on all computers. A single repository also benefits users, who only have to remember one password, regardless of the computer they use.

By using Delinea zones and override controls, you can migrate your entire user population without modifying any existing account attributes. For example, you can map multiple UNIX profiles with different identity attributes to a single user account, or resolve conflicts if the profiles for different users have the same identity attributes. This flexibility ensures that you can migrate legacy user accounts without changing any existing profile attributes, so that all of the existing directory and file ownership remains unchanged.

Over time, you can then continue to improve organizational security by eliminating legacy identity stores, directories, and databases, including all locally managed /etc/passwd files and local user accounts.

Defining Role-based Access Rights

Role-based access rights are more flexible than UNIX group membership rights and easier to define than user specifications in a sudoers configuration file. Role-based access rights can be narrowly applied or broadly inherited across any number of computers. You can restrict when role-based rights can be used by defining roles that are available only on certain days of the week or only during specific hours of the day. You can also make role assignments temporary by setting a date and time for the assignment to start or expire. For example, you might given the user Jonah elevated privileges to run administrative commands in the Backup Operators role for a period of two weeks while the primary backup administrator is on vacation.

Role-based access rights also prevent password sharing for privileged accounts, helping to ensure accountability. Users who need to run privileged commands can either temporarily elevate their privileges in an unrestricted login shell or be required to run the commands in a tightly controlled restricted shell without being prompted to provide the administrative password. All of their privileged or restricted shell activity can be traced to the account they used to log on.