search cancel

How to configure eTrust Access Control when using SSH


Article ID: 54104


Updated On:


CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent


Non-privileged users are being seen as root by the system, incorrectly allowing the users to run ALL AutoSys commands with full permissions.
  1. Using SSH, log in remotely to a Solaris AutoSys server as a user with no eTrust Access Control granted rights using SSH
  2. The Unix commands 'id' and 'whoami' return the correct logged username
  3. eAC command 'sewhoami' returns 'root'
  4. This allows the non-privileged user to impersonate 'root' and issue any AutoSys commands with full permissions.


Workload Automation
Privileged Identity Manager (A.K.A. eTrust Access Control, Control Minder, PIM, PAM SC).


This issue occurs when SSHD is not defined as a default login method in PIM.


To update the default SSH login method, perform the following command as a PIM Administrator (Note: root is usually a PIM admin), where 'full path to login binary' points to the SSHD daemon (e.g. /usr/lib/ssh/sshd):

# selang -c "er loginappl SSHD loginpath(<full path to login binary>) owner(nobody) defacc (x)"

Note: If there are any spaces in the SSHD path, surround it with single-tick quotes (e.g. '/usr/path with spaces/ssh/sshd')


Additional Information

Additional Information on PIM's selang utility: