Adding Specific PAM Access Rights
PAM access rights control who can access specific PAM-enabled applications in the zone where they are created and any child zones of that zone. You can add as many PAM Access rights as you need to identify the specific PAM-enabled applications users can access. For example, you can add PAM access rights to control who can use file transfer protocol (ftp) services on specific computers.
If you want to grant rights to specific PAM applications, however, you must know the appropriate application name on the specific computers you support. For example, if you want to allow Active Directory users to log on and use a default shell, you might create a PAM access right for the login program and for a graphical desktop manager such as gdm.
What to do before creating a new access right
Before creating a new PAM access right, you should review the operating system of the computers in the zone where you plan to create the new right. The application name might be different on computers with different operating systems. If you are creating separate rights for individual PAM applications, keep in mind that users must have at least one PAM access right or they will not be able to log on to any computers.
Rights required for this task
You can create new PAM access rights if you have been delegated the “Manage roles and rights” administrative task in the Zone Delegation Wizard. If you have not been delegated this task, your user account must be a domain user with the following permissions:
| Select this target object | To apply these permissions |
|---|---|
| Authorization | Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData |
| msDS-OpObjectContainer This object is listed under a globally unique identifier (GUID) for the Authorization object. | On the Object tab, select Allow to apply the following permissions to this object: Create msDS-AzOperation objects Click the Properties tab, then select Allow for the following properties: Read objectClass |
Who should perform this task
In most cases, a UNIX administrator or a delegated zone administrator familiar with PAM applications and the operating system of the managed computers performs this task, depending on your organization’s policies.
How often you should perform this task
It is common to add new PAM access rights over time as the need arises and as you develop more granular control over the specific rights different users should be granted.
Steps for completing this task
The following instructions illustrate how to add a PAM access right using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Delinea Windows API are available in other guides, the Delinea Software Developer’s Kit, or in community forums on the Delinea website.
To define a PAM access right using Access Manager:
-
Open Access Manager.
-
Expand Zones and the individual parent or child zones required to select the zone name that will contain the new PAM access right.
-
Expand Authorization, then expand UNIX Right Definitions.
-
Select PAM Access, right-click, then click Add PAM Access Right.
-
Type a name for the access right.
The name of the access right can be the same as the PAM application name, or any name that is easily identifiable.
-
Type the name of the PAM-enabled application for which you want to create an access right.
You can use wildcards to perform pattern matching for the application name. For example, you can specify *ftp* to match all PAM-enabled applications containing the string ftp, such as vsftpd, ftpd, and ftp.
The Application Name field supports glob pattern matching syntax. For example, the name can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). For more detailed information about using wildcard patterns and glob syntax, see the glob man page.
You should note that application names vary depending on the local operating system where the application is accessed. For example, the following table lists several common PAM-enabled applications and the appropriate application name to use on different platforms.
| For this application | On | Use this name |
|---|---|---|
| telnet | Common Linux platforms, such as Red Hat, Debian, SuSE, Centos, and Ubuntu, HP-UX, and Irix | login |
| Sun Solaris | telnet | |
| VMware ESX, Oracle Linux, Scientific Linux | remote | |
| ftp | Common Linux platforms, such as Red Hat, Oracle Linux, and Scientific Linux, and VMware ESX | vsftpd |
| Some Linux platforms, such as Debian, Centos, and Ubuntu, Sun Solaris, HP-UX, Irix | ftp | |
| graphical desktop | Common Linux platforms, such as Red Hat, Debian, Oracle Linux, Centos, Scientific Linux, and Ubuntu | gdm |
| Sun Solaris and HP-UX | dtlogin | |
| SuSE and Irix | xdm | |
| ssh | Most platforms | sshd |
| Debain and Ubuntu | ssh |
-
Type an optional description of the access right.
-
Click OK to save the PAM access right.
What to do next
After you define a new PAM access right, you might want to create a new role definition and add this right to it in the current zone or in a child zone. You must add the right to a role to test its operation.
