Required Permissions

  • You can use a root user for managing your applications, however SailPoint recommends that you use a minimum permission user. For example, configure a sudo user to manage your applications.

  • If you want to use a sudo user to perform the operations, you must configure the sudo user with the rights and permissions to execute the following commands:

    Copy 
    /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel,
    /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/groupdel, /usr/bin/passwd,
    /usr/bin/faillog, /usr/bin/groups, /bin/rm -f spt_tmp_*, /bin/echo,
    /usr/bin/chage, /bin/cat /etc/shadow, /bin/cat /etc/passwd,
    /bin/cat /etc/group, /bin/cat /etc/pam.d/system-auth, /usr/bin/getent, /bin/grep,
    /usr/bin/awk, /usr/bin/id, /usr/bin/lastlog, /usr/sbin/pam_tally2,
    /sbin/pam_tally2, /bin/cat /etc/pam.d/password-auth, /bin/cat
    /etc/pam.d/common-account, /bin/cat /etc/pam.d/common-auth, /usr/bin/printf,
    /usr/sbin/faillock, /bin/cat /etc/security/faillock.conf

    An entry in /etc/sudoers file must look similar to the following:

    Copy 
    username ALL = (root) PASSWD: /bin/chmod, /usr/sbin/useradd, /usr/sbin/usermod,
    /usr/sbin/userdel, /usr/sbin/groupadd, /usr/sbin/groupmod,
    /usr/sbin/groupdel,/usr/bin/passwd, /usr/bin/faillog, /usr/bin/groups, /bin/rm -f
    spt_tmp_*, /bin/echo, /usr/bin/chage, /bin/cat /etc/shadow,
    /bin/cat /etc/passwd, /bin/cat /etc/group, /bin/cat /etc/pam.d/system-auth,
    /usr/bin/getent, /bin/grep, /usr/bin/awk, /usr/bin/id, /usr/bin/lastlog,
    /usr/sbin/pam_tally2, /sbin/pam_tally2, /bin/cat /etc/pam.d/password-auth,
    /bin/cat /etc/pam.d/common-account, /bin/cat /etc/pam.d/common-auth,
    /usr/bin/printf, /usr/sbin/faillock, /bin/cat /etc/security/faillock.conf

    Note

    • All commands mentioned above are for the default configuration. If any of the commands are modified in the application definition, then you should also make similar changes in the /etc/sudoers file entry.

    • Verify the command paths on Linux computers as they might differ from the values mentioned here.

    • If you want to use a sudo user to handle provisioning operations, ensure that you grant them the proper write access for the home directory. If the sudo user is using the Guest home directory, then ensure it has proper write access for that directory as well.

    • /bin/chmod permission is not required as ISC Linux connector does not support target collector.

Read Only Permissions

If you want to use the sudo user to perform read only operations, the sudo user must be configured with the following rights and permissions:

Rights to execute the following commands with root privilege:

Copy 
/bin/echo, /bin/cat /etc/group, /bin/rm -f spt_tmp_*, /bin/cat /etc/passwd,
/bin/grep, /bin/cat /etc/shadow, /bin/cat /etc/pam.d/system-auth, /bin/cat
/etc/pam.d/password-auth, /usr/bin/faillog,
/usr/sbin/pam_tally2, /sbin/pam_tally2, /usr/bin/lastlog, /usr/bin/awk,
/usr/sbin/faillock, /bin/cat /etc/security/faillock.conf

Note

For a Linux server configured with pam_tally2 and Faillock, the following permissions are required:

  • pam_tally2/usr/sbin/pam_tally2, /sbin/pam_tally2

  • Faillock/usr/sbin/faillock, /bin/cat /etc/security/faillock.conf

An entry in /etc/sudoers file must look similar to the following:

username ALL = (root) PASSWD: /bin/echo, /bin/cat /etc/group, /bin/rm -f spt_tmp_*, /bin/cat /etc/passwd, /bin/grep, /bin/cat /etc/shadow, /bin/cat /etc/pam.d/system-auth, /bin/cat /etc/pam.d/password-auth, /usr/bin/faillog, /usr/sbin/pam_tally2, /sbin/pam_tally2, /usr/bin/lastlog, /usr/bin/awk

Rights to execute the following commands with root privilege:

/bin/echo, /bin/ cat /etc/group, /bin/rm -f spt_tmp_*, /bin/grep

An entry in /etc/sudoers file must look similar to the following:

username ALL = (root) PASSWD: /bin/echo, /bin/ cat /etc/group, /bin/rm -f spt_tmp_*, /bin/grep

Note
If any of the commands are modified in the application definition, then you should also make similar changes in the /etc/sudoers file entry. Verify the command paths on Linux computers as they might differ from the values mentioned here.

Add below permission for read operations only like (Test, Connection, Account Aggregation, Group Aggregation and single account aggregation):

newuser1 ALL= PASSWD: /usr/bin/awk, /bin/rm -f spt_tmp_*, /bin/cat /etc/shadow, /bin/cat /etc/passwd, /bin/cat /etc/group, /bin/grep, /bin/echo

Supported Authentication Methods

The Linux connector supports username and password authentication for root and sudo users.