Sample of an AC policy which would allow you to be able to surrogate ?
search cancel

Sample of an AC policy which would allow you to be able to surrogate ?

book

Article ID: 263134

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Implementation question regarding surrogate policies

Would you have an example of an AC policy which would allow you to be able to surrogate to a local unix account but to no other one ? Or a link with some hints ?

 

Environment

Release : 4.1

Cause

Official documentation is in 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-2/pam-server-control/Administrate-PAM-SC/endpoint-administration-for-unix/safe-user-substitution.html

Resolution

 

Finally implemented the following policy :

er PROGRAM /opt/CA/PAMSC/bin/sesu owner(nobody) defaccess(N) trust

auth PROGRAM /opt/CA/PAMSC/bin/sesu xgid(******) acc(A)

er SURROGATE USER._default defaccess(n)

er SURROGATE USER.root defacc(n)

auth SURROGATE USER.root xgid(*******) acc(A)

er SURROGATE USER.ans defacc(n)

auth SURROGATE USER.ans xuid(*****) acc(a)