Defining Rights to Run Privileged Commands

The most common reason for creating a command right is to allow users to execute commands that require privileges not granted to a standard UNIX user account. For example, you might want to grant some users permission to run Delinea command-line programs that require root privileges to better manage their own computers.

Defining command rights that grant elevated privileges is similar to granting access to privileged commands using the sudoers configuration file and the sudo program.

Steps for completing this task

The following instructions illustrate how to define a command right to execute a command with elevated privileges. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Delinea Windows API are available in other guides, the Delinea Software Developer’s Kit, or in community forums on the Delinea website.

To define a command right for privileged access

1. Open Access Manager.

2. Expand Zones and the individual parent or child zones required to select the zone name where you want to define a command right.

3. Expand Authorization and UNIX Right Definitions, then select Commands.

4. Right-click, then click New Command.

5. On the General tab, type a short descriptive name for the command right, and optionally, a more detailed description for the command right.

   The privileged command name is required and must not be more than 63 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (“).

6. Type the command you want to add.

   The Command field is required and should include any parameters or options, if needed. You can also use wild cards or a regular expression to specify commands matching a particular pattern.

7. Select the type of pattern matching to use for the “Command” and “Specific path” fields.

   • Select Glob expressions to use glob pattern matching syntax for wild cards.

   • Select Regular expressions to use extended regular expression pattern matching.

     For more information about pattern matching, see Selecting the pattern matching syntax.

8. Select an appropriate path for matching the command on the different operating environments you support.

   • Select Standard user path to use the local operating system’s common set of user directories to find the command.

   • Select Standard system path to use the directories the root user would normally get on the local operating environment to find the command.

   • Select System search path if you want to search for the command in a predefined set of locations. The search locations are defined using the dzdo.search_path configuration parameter. If you select System search path and the dzdo.search_path parameter is not defined, the current user’s path is used to search for the command.

   • Select Specific path if you want to define a custom set of locations for finding the command specified. If you select this option, you can specify one or more paths, separated by a colon.

     If you are specifying a path, the path must start with a forward slash (/) unless you are matching all paths (*). For example, if the command you specify is ls and you set the path to *, the ls command from any path is allowed.

     If you set both the “Command” field and the “Specific path” field to match all strings (*), any command from any path is allowed.

9. Specify an integer that determines the priority of the command — the lower the number, the higher the priority.

   If there are multiple commands that match the pattern you specified for the “Command” field, the priority determines which command has higher priority.

10. Click the Run As tab, then select Can be used by dzdo to allow the command to be added to a role for privileged execution.

11. Select the user or group accounts that can be used to execute the command.

    • Select Any User if any standard user account can be used to execute the command with dzdo.

    • Select One of the following users, uids, groups or gids if you want to specify one or more user or groups that can be used to execute the command with dzdo.

      In most cases, the local root account is the appropriate account to use because it allows ordinary users to execute the specified command using root account privileges. However, you can click Add to add other users, groups, or service accounts that can be used to execute the command. Use the format #UID for UID values, %group for group names, or %#GID for GID values.

      The account used to execute commands can be an Active Directory user with a UNIX profile in the zone or a local UNIX user account. However, the account used to log on and invokes the command using dzdo must be associated with an Active Directory account.

      Optionally, you can specify the primary groups can be used when executing the command using dzdo:

    • Select Any Group if any group can be used as the primary group when executing the command with dzdo.

    • Select One of the following groups, then click Add if you want to specify the groups that can be used as the primary group when executing this command with dzdo.

      You can also configure commands to be executed using dzdo in a restricted shell environment. For this example, however, the command right is only used in a nonrestricted shell environment.

12. Click OK to save the new command right.

    In most cases, you can use the default settings for environment variables and execution attributes.

    • If you want to keep, remove, or add environment variables for command execution, see Customizing environment variables for command execution.

    • If you want customize any of the execution attributes, see Customizing command execution attributes.

Creating a role to run commands with elevated privileges

On most Linux and UNIX computers, you can identify commands that require elevated permissions, who can run those commands, and where different users or groups can run the commands using a sudoers configuration file. Users who have been granted the appropriate permissions can run privileged commands by invoking the sudo command.

Delinea provides similar functionality, but the commands are configured by defining command rights, adding the rights to the appropriate roles, and assigning the roles to different users and groups. Users who have been assigned the appropriate roles can then run privileged commands by invoking the dzdo command.

If users are assigned the predefined UNIX Login role, they have access to all of the standard command-line programs that are available to ordinary UNIX users. You can create a separate role for commands that run using root or another privileged user account. Alternatively, you can combine command rights and system rights in a custom role definition or by adding the command rights to the default UNIX Login role.

Command rights that allow users to execute commands with elevated privileges should only be added to roles with the Login with Non-Restricted Shell system right.

Users must execute command rights that grant elevated privileges using the dzdo command. If you selected the Re-authenticate current user option as an execution attribute when defining a command right, users must also provide the password for their own account, their own password and one or more other forms of authentication, or the types of authentication determined by the authentication profile configured in Privileged Access Service, which might or might not involve providing a password.

If you selected the Re-authenticate using the target user’s password option as an execution attribute when defining a command right, users must also provide the password for the account used to execute the command.

To create a role that can execute commands with elevated privileges, do the following:

• Create command rights for the privileged commands users are allowed to run.

• Create a new role definition and set the System Rights for the role to allow password login, nonpassword login, or both, and select the Login with Non-Restricted Shell option, then click OK to save the role definition.

• Right-click the role, select Add Right, then select login-all or a specific PAM access right and the privileges command rights users are allowed to run, then click OK to save the changes to the role definition.

For more information about creating, assigning, and testing custom role definitions, see Customizing command execution attributes.