Lab # 6: Role Creation and Assignment

In this lab

• We will create the PAM access rights required for our roles
• We will create a privileged command for the system administrators
• We will create and configure the roles
• We will assign the roles to the appropriate Groups in AD.

Planning for the lab
We will use the PDCA methodology outlined in the previous basics post, to address business problem # 1. in which we agreed that there will be 3 groups of users:  System Admins, Web Server Users and Database Server Users.  After the PDCA table-top exercise, the Security, UNIX and Windows leads came up with this table:

Planning Question	Roles
	Super User	Regular User
What is the role supposed to allowed do?	To allow super users perform actions as root	To allow the member to perform user activities
What is their UNIX experience? (controlled or flexible)	Flexible	Flexible
What is the role NOT supposed be allowed to do or know?	Users don’t need to know the root password	No privileged commands
Are there any time/day restrictions to this role?	No restrictions	No restrictions
How is the role supposed to access the UNIX system?	All protocols including the console.	SSH access only
Are there any particular platform implications?	None	SOL1 uses sshd-kbdinit fork.
Are any additional controls required when privileges are used?	Authentication required	N/A
Is this assignment temporary or permanent?	Permanent	Permanent
What is the scope of this assignment?	All Systems (Zone)	Database Servers – for DB Users Web Servers – for web users
Will this role be audited?	Yes	Yes
Will we have a group of people or a single individual have this role?	Group:  UNIX System Admins	Group(s) UNIX Database Server Users UNIX Web Server Users

Create the Oracle Solaris SSH daemon PAM access right

1. Log on to CLIENT1 as Jessie Matthews
2. Open Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click PAM Access and select Add PAM access right.
3. Create the SSH daemon for Solaris.  The name and application is sshd-kdbinit press OK

Create Privileged Command for the System AdministratorsThis command should allow system admins to run any command as super users with the requirement of having this action authenticated with their AD password.

1. In Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click PAM Access and select New Command.
2. In the General tab, name the command (e.g. run any command as root), and in the command box, type the wildcard character (*);  and in Match Path, select Specific path, and type the wildcard again.  This makes it *.*
3. In the Restricted Shell tab, uncheck the checkbox.
4. In the Run As tab, make sure the root account is selected
5. In the Attributes tab, make sure you check the "Authentication Required" box and select the user's password.  Press OK.

 Create the UNIX System Admin role

1. In Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click Role Definitions and select Add Role. 
2. In the General Tab, give the role a name  (UNIX System Admins)
3. In the System Rights, UNIX rights section, check:
   Password login and non-password (SSO) login are allowed
   Non-Password (SSO) is allowed
   Login with a Non-Restricted Shell
4. Press OK
   Now the role is created, but it doesn't have any rights.
5. Right-click on the newly created role, and select Add Right.  Check the following:
   login-all:  this will enable the role to log in via any PAM module including the console.
   run any command as root: this is the previously created privileged command.
   Then press OK.
6. This role is complete.

  Create the UNIX Regular User role

1. In Access Manager and navigate to the HQ zone/Authorization/UNIX Rights, right click Role Definitions and select Add Role. 
2. In the General Tab, give the role a name  (UNIX Regular User)
3. In the System Rights, UNIX rights section, check:
   Password login and non-password (SSO) login are allowed
   Non-Password (SSO) is allowed
   Login with a Non-Restricted Shell
4. Press OK
   Now the role is created, but it doesn't have any rights.
5. Right-click on the newly created role, and select Add Right.  Check the following:
   ssh:  ssh daemon for Debian and Ubuntu
   sshd: ssh daemon for all Linux and UNIX distributions except for above
   sshd-kbdinit: ssh daemon for Solaris
   Then press OK.
6. This role is complete.

Assign the Roles
Remember - sysadmins manage all systems; DB and Web Server users can only sign-in to their Server Groups.

1. In Access Manager and navigate to the HQ zone/Authorization and right click Role Assignments and select Assign Role, select the UNIX System Admin role and press OK
2. Click AD Account and in the Find drop box, select Group.
3. In the Name, type the UNIX and press Find.  In the results select the UNIX Super Users group and press OK Twice.
   Note: before performing the following assignments, make sure you have created the corresponding AD security groups.
4. Expand the Computer Roles node, then expand the Database Servers group, right click Role assignments and select Assign Role.  Select the UNIX Regular User role and press OK.
5. Click AD Account and in the Find drop box, select Group.
6. In the Name, type the UNIX and press Find.  In the results select the UNIX Database Servers Users group and press OK Twice.
7. Repeat 4-6 for Web Servers.  Use the same role (UNIX Regular User) and assign it to the UNIX Web Server users AD Group.

Process Reuse
From this point on, assigning (or removing) roles in UNIX will be performed by adding (or removing) users from those groups in AD  (you can use ADUC, PowerShell, Access Manager, vbscript and anything that can manipulate Groups in AD)

We have performed the Plan-Do.  In a later post we will perform the Check-Adjust.