Working with Command Rights
Command rights allow you to use commands to perform specific operations. The most basic rights such as the right to log in are defined when your administrator defines roles. Other, more granular command rights control access to individual command-line programs.
Using Command Rights in a Standard Shell
Command rights are assigned to you so that you can perform privileged operations that are not available to you by default.
On most UNIX and Linux computers, commands that require elevated permissions can be run by invoking the sudo command. The Verify Privilege Server Suite Agent provides similar functionality, but the commands are instead invoked using the dzdo command, then typing the command to execute, including any command-line options that you are allowed to use.
For example, assume your administrator has defined a command right for adjoin that enables you to execute the command as the root user. If this right is added to a role that has been assigned to you, you can execute the command by typing the following:
dzdo adjoin
Using Command Rights in a Restricted Shell Environment
Verify Privilege Server Suite provides a customized Bourne shell, dzsh, to serve as a restricted shell environment that is used to limit what commands you can execute for certain roles. For most operations, working in the dzsh shell is similar to working in an unrestricted shell except that the command set is limited to the command rights added by the administrator.
After your administrator has defined command rights, added them to role definitions, and assigned the roles to you, you can execute those commands in a restricted shell environment by typing the command, including any command-line options you are allowed to use. When you are finished running the command, you can switch back to your standard shell if you have the appropriate login right on that computer.
For example, assume that on your own computer, you can run the adinfo command in the standard shell, but you need to execute the command on a computer that is not yours. Your administrator has assigned you a role, AdminADinfo that grants you a UNIX login right and a right that requires you to run the adinfo command in a restricted shell on the computer you need to access. You must switch to this role to run the command on the specified computer. To do this, you log in to the computer you want to access and select the role your administrator has assigned to you. If you are a member of the zone Headquarters, you would type the following:
$ dzsh
$ role AdminADinfo/Headquarters
$ adinfo
Running Unauthorized Commands
If your administrator has assigned you to a role that requires a restricted shell environment, the dzsh shell allows you to run only the subset of commands to which you have rights. If you attempt to run a command you are not authorized to use in your current role, the shell displays a warning.
Setting or Changing your Active Role
If you are assigned only to one or more restricted shell environment roles, you are only allowed to run commands within the dzsh shell. Within the restricted shell, you can only be in one active role at a time to prevent ambiguity about the commands you can run or what account should be used to execute those commands.
For example, if you are assigned the lab_staff restricted shell environment role that specifies that the tar command should run as root, and also the temps restricted shell environment role that specifies that the tar command should be run as the account tmp_admin, you need to specify which role you are using to run the tar command under the proper account.
You can see what roles are assigned to you, as well as switch between roles, using the role command. For example, to view the list of roles to choose from, you would type:
$ role -ls
To choose the lab_staff role, you would type:
$ role lab_staff