Customizing Environment Variables for Command Execution

You can customize the environment variables used during command execution in both the non-restricted and restricted shell environments. For example, if a command is executed using a specific user or service account that requires environment variables that are not defined for the user invoking a command, you can define those environment variables as part of the command right definition.

If you want to configure the environment variables to use for a command right, click the Environment tab. You can then select one of the following options:

  • Reset environment variables

  • Remove unsafe environment variables

  • Add environment variables

Resetting environment variables

Select Reset environment variables if you want to define the list of environment variables to set when the user runs the command. Note that only the environment variables you explicitly specify are retained and those environment variables will replace the default set of environment variables, rather than append the default set of environment variables. You can use Access Manager or dzdo.env_* configuration parameters in the centrifydc.conf file to control the list of environment variables to use when executing commands. For example, you can set the dzdo.env_keep configuration parameter in the centrifydc.conf file to keep a specific set of environment variables like this:

dzdo.env_keep: VAR

With this setting, only the VAR environment variable is defined for the list of environment variables to keep. All other environment variables, including the default list of user environment variables—such as PATH and KRB5CCNAME—are removed.

If you select this option, click Edit to specify the environment variables to retain from the user’s environment in a comma-separated list. Click Add, type the environment variable name, then click OK for each environment variable you want to retain.

Removing environment variables

Select Remove unsafe environment variables if you want to remove a specific set of unsafe environment variables when the user runs the command. The list of unsafe environment variables is defined by the dzdo.env_delete configuration parameter in the centrifydc.conf file. Note that only the environment variables you explicitly specify are removed.

If you select this option, click Edit to specify the environment variables to remove from the user’s environment in a comma-separated list. Click Add, type the environment variable name, then click OK for each environment variable you want to remove.

Adding environment variables

Select Add environment variables to define new environment variables to add when the user runs the command. Enter variables in a comma-separated list in the form name=value, or click Edit then Add to add new variables and values. You can add new variables regardless of which of the other options you select.