Administrator Permissions

Sudo Users and Permissions for AIX Sources

AIX sources support the aggregation of sudoer commands for accounts and groups. The /etc/sudoers file has the user permissions.

Prerequisites:

The admin user must have permissions to execute the /usr/bin/awk command. You must update the /etc/sudoers file entry for the admin user with the /usr/bin/awk command.
You must add the new multi-valued schema attribute, sudoCommands — which collects all the necessary user commands and stores them — to the user and group schemas.
If you want to aggregate the sudo commands from multiple sudo files, then you must provide the list of files as a separate config attribute in the source config XML. For example, you can use:

<entry key="sudoCmdFiles" value="/etc/sudoers.d/special_user.conf,/etc/sudoers.d/special_group.conf"/>

Note

The default command that collects the sudo commands is:

<"class="example"> awk '/^[^#]/' /etc/sudoers

In this example, commented lines are skipped and the remaining content of the /etc/sudoers file is aggregated in to a temporary file on the AIX host.

If you want to use a custom command for aggregating file data, you can configure this command as part of the source config XML. For example, you can use:

Key – sudoUserCommand
Value – awk '/^[^#]/' /etc/sudoers

Read Only Permissions

If you want to use the sudo user to perform only read-only operations, it must be configured with the following rights and permissions.

For Account Aggregation only

Rights to execute the following commands with root privilege:

Copy

/usr/sbin/lsuser, /bin/echo, /bin/rm -f spt_tmp_*

An entry in the /etc/sudoersfile should look similar to the following:

Copy

username ALL = (root) PASSWD : /usr/sbin/lsuser, /bin/echo, /bin/rm -f spt_tmp_*

For Entitlements Aggregation only

Rights to execute the following commands with root privilege:

Copy

/usr/sbin/lsgroup, /bin/echo, /bin/rm -f spt_tmp_*

An entry in the /etc/sudoers file should look similar to the following:

Copy

username ALL = (root) PASSWD : /usr/sbin/lsgroup, /bin/echo, /bin/rm -f spt_tmp_*

Important
If you modify any of the commands in the application definition, then you'll need to make the same changes in the /etc/sudoers file. Verify command paths on AIX computers as they might differ from the values mentioned here.

AIX Updated Administrator Permissions

Rights to execute the following commands with root privilege:

Copy

/usr/sbin/lsuser, /usr/sbin/lsgroup, /usr/bin/chmod, /usr/bin/mkuser, /usr/sbin/userdel, /usr/bin/chuser, /usr/bin/chgroup, /usr/bin/mkgroup, /usr/sbin/rmgroup, /usr/bin/passwd, /bin/rm -f spt_tmp_*, /bin/echo,  /usr/bin/pwdadm,/usr/bin/awk

An entry in the /etc/sudoers file should look similar to the following:

Copy

username ALL = (root) PASSWD: /usr/sbin/lsuser, /usr/sbin/lsgroup, /usr/bin/chmod, /usr/bin/mkuser, /usr/sbin/userdel, /usr/bin/chuser, /usr/bin/chgroup, /usr/bin/mkgroup, /usr/sbin/rmgroup, /usr/bin/passwd, /bin/rm -f spt_tmp_*, /bin/echo, /usr/bin/pwdadm,/usr/bin/awk

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Administrator Permissions

Documentation Feedback