Monday, December 23, 2013

Basics: Centrify Roles 101 - UNIX Role Creation and Assignment

Centrify Roles

The Centrify Suite allows for the implementation of role-based access controls leveraging Active Directory.  In UNIX, these roles are implemented using AD, Authorization Manager, the base agent (dc or adclient) , the authorization client (dz or directauthorize) and Centrify-enhanced sudo.  In Windows (although out of scope for the initial blog postings) it uses the Centrify Agent.

PDCA method and Roles

The Plan-Do-Check-Adjust methodology is a perfect way to implement Centrify roles.  Use this framework to implement and maintain your roles.  Remember:  Access Controls is a CAPABILITY meaning that it's not a "set it and forget it" activity.  The attestation process is a great opportunity to review roles and see what can be done to tweak them.

Business Problem # 1 has a very basic set of roles.  They just need System Administrators and regular users.  You will see that as we implement more problems, we will tweak roles accordingly.

When (plan)ning for a role, ask yourself these questions:

Ask yourself



1. What is the role supposed to allowed do?

This is the functionality that you want to enable.  Use cases are great tools to view this. 

Contractor DBAs should be able to run the sqlplus command as the oracle account, all their work will be within SQL plus.

2. What is their UNIX experience? (controlled or flexible)

This question will define what kind of shell is provided to them (a white list or just regular commands plus their privilege commands)

 Contractor DBAs are regular unix users with one privileged command.

3. What is the role NOT supposed be allowed to do or know?

These are the controls or rules that are required by policy, security, regulation, methodology, etc.

Users should not know the oracle account password

4. Are there any time/day restrictions to this role?

This is the days/times that the role is available.

Contractor DBAs shall not log in over the weekends.

5. How is the role supposed to access the UNIX system?

These are the access protocols allowed.

DBAs should only have access via ssh.

6. Are there any particular platform implications?

These are exceptions based on the UNIX/Linux platform used.

Oracle databases are used on Solaris systems.  The SSH daemon is a fork called sshd-kbinit

7. Are any additional controls required when privileges are used?

Depending on the action or the nature of the role, you may require simple or complex authentication mechanisms to elevate.

Authentication is required to elevate.

8. Is this assignment temporary or permanent?

Is this role effective for a particular length of time?

Contactor DBAs will work from 3 months starting on Jan 1st 2014

9. What is the scope of this assignment?

This is a key question.  You need to determine if this role is applicable to all systems (zone), some systems (computer group), or a single system (system override).

Only Oracle systems.

10. Will this role be audited?

This is to turn capture/replay if required (A topic for Enterprise Edition)


11. Will we have a group of people or a single individual have this role?

Ideally you will always leverage AD Groups for role assignments because it just makes life much easier to manage, but there are instances in which performing a user assignment may be needed.

There is a group of 5 contractors, it is expected that this work may go beyond the original contract.

Creating (do) the Role 

  1. In ADUC.  Request or create an AD Security group
    In our example, the UNIX administrator has delegated rights and there is a Roles container for those groups.  It's important to have a good naming convention to understand the purpose of the group.  This is a temporary group that will be assigned at the computer role level, so something like:  UNIX Contractor DBAs is very descriptive.  Notice the UNIX in front of the name.  This is because you could have roles for Windows.
  2. In Access Manager/Zone/Authorization/UNIX System Rights review the PAM access rights.
    Centrify ships with some ssh PAM access roles, but based in our example, the Oracle ssh daemon is not listed.  This needs to be created.
  3. In Access Manager/Zone/Authorization/UNIX Commands create the command(s) required for the role.
    In our example, there's only one privileged command, the sqlplus command running as oracle with authentication required.
  4. In Access Manager/Zone/Authorization/Role Definitions, right-click Add and Configure the role.
    In our example, the contractors only work during weekdays and have a regular user experience.  Here you need to keep a good naming convention too.  UNIX-ContractorDBAs is a good name.
  5. In Access Manager/Zone/Authorization/Role Definitions, right-click the newly created role and select add rights. 
    Select the SSH PAM access rights and the newly created sqlplus-as-oracle command.
  6. In Access Manager/Zone/Authorization/Computer Roles.
    Assuming you have the corresponding computer role (in our example: Database servers), expand the group and right click Role-Assignment.

 Testing and verifying (Check) the Role

  1. Add a test user to the UNIX Contractor DBAs group.
  2. Attempt to access the system(s), verify that SSH access is allowed, but not any others.
  3. Verify the role by testing the account with dzinfo and dzdo.
  4. Verify the role by using the reports or User Effective rights facilities in Access Manager 

 (Adjust)ing the role

  1. Based on review or circumstances:
    E.g "Contractors now shall work on weekends"
  2. Change the role accordingly.
  3. Review your roles at least twice a year.
 From this point on, the RBAC is managed via AD group memberships, and the role can be tweaked based on the business needs.

No comments:

Post a Comment