Documentation

Role-based Policy

Role-based Policy has been implemented to simplify the definition of policy for administrators. Policies are kept within structured records in a database, simplifying maintenance, decreasing system load, increasing throughput, and providing a comprehensive REST API to integrate policy management with existing customer systems and procedures, including simplified bulk import/export of data. Once the customers' data is held within the Role Based Policy database it is much easier to provide management information, such as user entitlement reports. The policy data is grouped into users, hosts, commands, time/dates, and roles detailed in the schema below.

Database schema

User groups

User groups define groups of users and/or wildcard patterns that match usernames:

CREATE TABLE usergrp ( 
   id INTEGER PRIMARY,
   name TEXT,
   description TEXT,
   disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled 
   type CHAR(1) CHECK (type IN ('I','E')), -- I=Internal, E=external
   single INTEGER CHECK(disabled BETWEEN 0 AND 1),
   extinfo TEXT,  -- external lookup info 
   UNIQUE {name, id));

CREATE TABLE userlist (
   id INTEGER
   user TEXT, -- "glob" wildcard
   PRIMARY KEY(id,user),
   FOREIGN KEY(id) REFERENCES usergrp(id) DEFERRABLE INITIALLY DEFERRED);

Each user group has multiple user list entries that specify names and/or wildcards that match both submit and run user names when matched by the role.

There is additionally a special value user list entry that allows the Role Based Policy to match on the specified submit username, that is $submituser$.

Host groups

Host groups define groups of hosts and/or wildcard patterns that match hostnames:

CREATE TABLE hostgrp ( id INTEGER PRIMARY, name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled 
type CHAR(1) CHECK (type IN ('I','E')),           -- I=Internal, E=external
extinfo TEXT                                      -- external lookup info

CREATE TABLE hostlist (
id INTEGER REFERENCES hostgrp(id), host TEXT,     -- "glob" wildcard
PRIMARY KEY(id,host)
);

Each host group has multiple host list entries that specify names and/or wildcards that will match both submit and run host names when matched by the role.

Command groups

Command groups define groups of commands and/or wildcard patterns that match commands:

CREATE TABLE cmdgrp (
id INTEGER PRIMARY, name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1) -- 0=enabled, 1=disabled
);

CREATE TABLE cmdlist (
id INTEGER REFERENCES cmdgrp(id),
cmd TEXT,                                        -- "glob" wildcard
rewrite TEXT,                                    -- new command (see below)
PRIMARY KEY(id,cmd)
);

Each command group has multiple command list entries that specify commands and/or wildcards that will match the submitted command name when matched by the role, and a rewrite column to rewrite the command that will executed. The rewrite is in a similar format to Bourne/Bash shell arguments. For example, $0, $1, etc, $* and $#. Rewrite uses the original command to substitute arguments into the new rewritten command.

Time/date groups

Time/date groups define groups of times/dates and/or wildcard patterns that match times/dates:

CREATE TABLE tmdategrp (
id INTEGER PRIMARY,
name TEXT UNIQUE,
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1)   -- 0=enabled, 1=disabled

CREATE TABLE tmdatelist (
id INTEGER REFERENCES tmdategrp(id),
tmdate TEXT,                                       -- json format - see below
PRIMARY KEY(id,tmdate)
);

Each time/date group has multiple time/date list entries that specify times/dates and/or wildcards that match the submitted command name when matched by the role, and a rewrite column to rewrite the command that is executed. Each individual time/date is specified in JSON format, and can be one of two different formats:

  • From/To specific date range: from and to are specified in epoch seconds:

    '{ "range" : { "from" : 1415851283, "to": 1415887283 }}'
    
  • Day of the Week: each day is specified as an array of hours. Each hour is a number representing 15 minute intervals defined as a binary mask:

    1 1 1 1
    ^ 0 to 14 minutes of the hour
    ^-- 15 to 29 minutes of the hour
    ^---- 30 to 44 minutes of the hour
    ^------ 45 to 59 minutes of the hour Therefore the values range from 0 to 15:
    
    '{
    "mon" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
    "tue" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
    "wed" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
    "thu" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
    "fri" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
    "sat" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
    "sun" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
    }'
    

Roles

Roles are the entities that tie all the other entities together to define a role.

CREATE TABLE role (
id INTEGER PRIMARY KEY,
name TEXT UNIQUE,
rorder INTEGER,                                    -- rule order for matching
description TEXT,
disabled INTEGER CHECK(disabled BETWEEN 0 AND 1),  -- 0=enabled, 1=disabled
risk INTEGER CHECK(risk >= 0),
action CHAR(1) CHECK (action IN ('A','R')),        -- A=Accept, R=Reject
iolog TEXT,         -- iolog template
script TEXT,        -- pbparse script
tag TEXT,           -- Arbitrary tag that will allow grouping of roles
comment TEXT,       -- Arbitrary comment field that can contain anything
message TEXT,       -- Accept/reject message (templated)
variables TEXT,     -- Contains JSON formatted Policy Script variables to set (templated)
varmatch TEXT,      -- Contains JSON formatted Policy Script variables to match
auth TEXT,          -- Contains JSON formatted array of authentication methods (templated)
rpt INTEGER DEFAULT 1     -- 1=on, 0=off, include Role in Entitlement Report
);

CREATE TABLE roleusers (
id INTEGER REFERENCES role(id),
users INTEGER REFERENCES usergrp(id),
type CHAR(1) CHECK (type IN ('S','R')),          -- S=Submit, R=Run User
PRIMARY KEY (id,users,type)
);

CREATE TABLE rolehosts (
id INTEGER REFERENCES role(id),
hosts INTEGER REFERENCES hostgrp(id),
type CHAR(1) CHECK (type IN ('S','R')),          -- S=Submit, R=Run Host
PRIMARY KEY (id,hosts,type)
);

CREATE TABLE rolecmds (
id INTEGER REFERENCES role(id),
cmds INTEGER REFERENCES cmdgrp(id),
PRIMARY KEY (id,cmds)
);

CREATE TABLE roletmdates (
id INTEGER REFERENCES role(id),
tmdates INTEGER REFERENCES tmdategrp(id),
PRIMARY KEY (id,tmdates)
);

Each role has multiple users, hosts, commands and time/dates. When the Policy Engine matches against roles, complete records are selected from the database as fully populated roles, sorted by the role attribute rorder. Once the first record has been matched, the attributes of the role are applied to the session, and the Policy Engine either accepts or rejects the session. The iolog template is the normal script format log file, for example /var/log/io_ log.XXXXXX. The script is a full EPM-UL script that is called if the role has been accepted. This script can carry out extra processing to authorize the session (and can therefore override the accept/reject status with an implicit command), and can carry out extended environment configuration as would normal EPM-UL script.

Role based policy settings

The following settings are used and need to be set when Role Based Policy and change management is implemented and used.

policydb

  • Version 8.5 and earlier: policydb setting not available.
  • Version 9.0 and later: policydb setting available.

The policydb setting specifies the path to the Role Based Policy database. If the value is not an absolute path (does not start with “/”), the database file is created in the location provided by databasedir setting.

Default

/opt/<prefix>pbul<suffix>/dbs/pbrbpolicy.db

Used on

Policy server hosts

rolebasedpolicy

  • Version 8.5 and earlier: rolebasedpolicy setting not available.
  • Version 9.0 and later: rolebasedpolicy setting available.

Enable or disable Role Based Policy checking. The default is no.

Example

rolebasedpolicy    yes

Default

rolebasedpolicy    no

Used on

Policy server hosts

rbptransactions

  • Version 8.5 and earlier: rbptransactions setting not available.
  • Version 9.0 and later: rbptransactions setting available.

Use rbptransactions to track changes on role-based policies. Information tracked includes the clients and policy versions.

  • Enabled: Tracks changes and shows which version of the role-based policy is used on the clients that have caching enabled in the eventlog records. Before changes can be made, the administrator must begin a change transaction, indicating why the change is being made. The reason is logged and the Role Based Policy database is then locked for update. Only that administrator can continue to make changes. Here is an example:
pbdbutil --rbp -b -m “Add jsmith to list of admins”
pbdbutil --rbp -i ./new_rbp.json
pbdbutil --rbp -c
  • Disabled: The eventlog shows the cached policy used, but will not show the policy version.

On the policy server, you can also use the pbdbutil program to track the clients and the version of the policy.

📘

For more information, see Role Based Policy Options, Cached Policy and Logging.

Example

rbptransactions    yes

Default

rbptransactions    no

Used on

Policy server hosts

changemanagementevents

  • Version 8.5 and earlier: changemanagementevents setting not available.
  • Version 9.0 and later: changemanagementevents setting available.

Enable/Disable the logging of Change Management Events when maintaining databases.

A logserver must be installed before enabling the changemanagementevents keyword.

Example

changemanagementevents    yes

Default

changemanagementevents    no

The following settings are also used in Role Based Policy.

  • eventdb

    The path to the Change Management Event Database. The default is /opt/pbul/dbs/pbevent.db.

  • pbresturi

    The partial REST url string between the hostname and /REST. There is no default for this setting.

  • pbrestport <port#>

    The REST port. Default value is the base port + 6.

  • eventdestinations =,,,,</path/to/file>,<|/path/to/executable> =…..

    Events can be sent to a remote host (primary logserver), event database, syslog, a flat file on the file system, or a binary or script for consumption. Multiple destinations can specified for each taxonomy with commas to separate. The default destination is authevt=db.

  • eventformats =<csv|json> =….

    Specify the format of events to log (except database records which are always JSON). The default format is JSON

  • pbresttimeskew

    The maximum time in seconds that hosts are mismatched by (we recommend that the customer use a time synchronization service). The default is 60 seconds.

📘

For more information, see eventdb, pbresturi, pbrestport, eventdestination, eventformats, pbresttimeskew

Role-Based Policy Entitlement reports

Endpoint Privilege Management for Unix and Linux v10.1.0 introduced Role Based Policy Entitlement reports. These reports are available to the user from the pbrun command using -e, or to the administrator as an overall report using pbdbutil --rbp -R. They provide a comprehensive report on what users can access commands on which hosts, and when they are allowed to run them.

pbdbutil: Role-Based Policy options

The pbdbutil role-based policy options introduced in Endpoint Privilege Management for Unix and Linux v10.1.0 are described below.

pbdbutil --rbp [<options>] [ <file> <file> ...]
-R { json param } Report user entitlements from the database
    -R Add option to display commands
        -R Add option to display time/date restrictions
           -R Add option to display additional role options
-E { json param }  List user entitlements data from the database
    where { json param } is one or more of:
    "submituser" : "user1" Specify submit user or wildcard
    "submithost" : "host1" Specify submit host or wildcard
    "runuser"    : "user1" Specify run user or wildcard
    "runhost"    : "host1" Specify run host or wildcard
"command"    : "command" Specify command or wildcard

pbrun options

Endpoint Privilege Management for Unix and Linux v10.1.0 introduced the following options that are available only when Role Based Policy is enabled:

pbrun -eReturns the entitlement report for the current user at level 1.
pbrun -e 1Returns the entitlement report for the current user at level 1.
pbrun -e 4Returns the entitlement report for the current user at level 4.
pbrun --entitlement=4Returns the entitlement report for the current user at level 4.

Example reports

Level 1 report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 1
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:23
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
/bin/find *,/usr/bin/ls,/bin/ls,/bin/cat *,/bin/ls *,/usr/bin/ls *,/usr/bin/rm *,
/usr/bin/cat *,/usr/bin/find *,/sbin/shutdown *,/bin/more *,/bin/id,/usr/bin/more *,
/usr/bin/mount *,/bin/ln *,/bin/mount *,/bin/rm *,/usr/sbin/shutdown *,
/usr/bin/ln *,/usr/bin/id,/sbin/ifconfig *,/usr/sbin/ifconfig *
======================================================================

Example

Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 2
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:28
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description:   Common UNIX Commands
/bin/ls                         executes: /bin/ls
/bin/ls *                       executes: /bin/ls *
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/bin/cat *                      executes: /bin/cat *
/usr/bin/cat *                  executes: /usr/bin/cat *
/bin/find *                     executes: /bin/find *
/usr/bin/find *                 executes: /usr/bin/find *
/bin/more *                     executes: /bin/more *
/usr/bin/more *                 executes: /usr/bin/more *
/bin/rm *                       executes: /bin/rm -i $*
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/bin/ln *                       executes: /bin/ln *
/usr/bin/ln *                   executes: /usr/bin/ln *
/bin/id                         executes: /bin/id
/usr/bin/id                     executes: /usr/bin/id
Command Group: Admin Commands
Description:   Common Superuser Commands
/sbin/shutdown *                executes: /sbin/shutdown *
/usr/sbin/shutdown *            executes: /usr/sbin/shutdown *
/bin/mount *                    executes: /bin/mount *
/usr/bin/mount *                executes: /usr/bin/mount *
/sbin/ifconfig *                executes: /sbin/ifconfig *
/usr/sbin/ifconfig *            executes: /usr/sbin/ifconfig *

Example

Level 3 report
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 3
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:30
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description:   Common UNIX Commands
/bin/ls                         executes: /bin/ls
/bin/ls *                       executes: /bin/ls *
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/bin/cat *                      executes: /bin/cat *
/usr/bin/cat *                  executes: /usr/bin/cat *
/bin/find *                     executes: /bin/find *
/usr/bin/find *                 executes: /usr/bin/find *
/bin/more *                     executes: /bin/more *
/usr/bin/more *                 executes: /usr/bin/more *
/bin/rm *                       executes: /bin/rm -i $*
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/bin/ln *                       executes: /bin/ln *
/usr/bin/ln *                   executes: /usr/bin/ln *
/bin/id                         executes: /bin/id
/usr/bin/id                     executes: /usr/bin/id
Command Group: Admin Commands
Description:   Common Superuser Commands
/sbin/shutdown *                executes: /sbin/shutdown *
/usr/sbin/shutdown *            executes: /usr/sbin/shutdown *
/bin/mount *                    executes: /bin/mount *
/usr/bin/mount *                executes: /usr/bin/mount *
/sbin/ifconfig *                executes: /sbin/ifconfig *
/usr/sbin/ifconfig *            executes: /usr/sbin/ifconfig *
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description:     Any Time
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  01:00am to 12:14pm
Sunday:  01:00am to 12:14pm

Example

Level 4 report
======================================================================

Role Based Policy Entitlement Report - Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:07:32
User: root
Belongs to the following Roles:
Admin
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: User Commands
Description:   Common UNIX Commands
/bin/ls                         executes: /bin/ls
/bin/ls *                       executes: /bin/ls *
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/bin/cat *                      executes: /bin/cat *
/usr/bin/cat *                  executes: /usr/bin/cat *
/bin/find *                     executes: /bin/find *
/usr/bin/find *                 executes: /usr/bin/find *
/bin/more *                     executes: /bin/more *
/usr/bin/more *                 executes: /usr/bin/more *
/bin/rm *                       executes: /bin/rm -i $*
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/bin/ln *                       executes: /bin/ln *
/usr/bin/ln *                   executes: /usr/bin/ln *
/bin/id                         executes: /bin/id
/usr/bin/id                     executes: /usr/bin/id
Command Group: Admin Commands
Description:   Common Superuser Commands
/sbin/shutdown *                executes: /sbin/shutdown *
/usr/sbin/shutdown *            executes: /usr/sbin/shutdown *
/bin/mount *                    executes: /bin/mount *
/usr/bin/mount *                executes: /usr/bin/mount *
/sbin/ifconfig *                executes: /sbin/ifconfig *
/usr/sbin/ifconfig *            executes: /usr/sbin/ifconfig *
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description:     Any Time
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  01:00am to 12:14pm
Sunday:  01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no``Level 1 report, with "command" filter
pbdbutil -P --rbp -R '{ "command":"/usr/bin/*"}'
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 1
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:10
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
/usr/bin/ls,/usr/bin/mount *,/usr/bin/ls *,/usr/bin/cat *,/usr/bin/find *,
/usr/bin/rm *,/usr/bin/ln *,/usr/bin/more *,/usr/bin/id
======================================================================
Role Order:     4
Name:           users
Description:    Normal users
Action:         allowed
Tag:
Membership:     Users
Submit Host(s): nfs.company.com,build.company.com,staging.company.com
Run Host(s):    nfs.company.com,build.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
/usr/bin/ls,/usr/bin/ls *,/usr/bin/find *,/usr/bin/cat *,/usr/bin/ln *,
/usr/bin/rm *,/usr/bin/more *,/usr/bin/id

Example

Level 4 report with "command" filter
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:26
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description:   Common Superuser Commands
/usr/bin/mount *                executes: /usr/bin/mount *
Command Group: User Commands
Saturday:  01:00am to 12:14pm
Description:   Common UNIX Commands
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/usr/bin/cat *                  executes: /usr/bin/cat *
/usr/bin/find *                 executes: /usr/bin/find *
/usr/bin/more *                 executes: /usr/bin/more *
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/usr/bin/ln *                   executes: /usr/bin/ln *
/usr/bin/id                     executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description:     Any Time
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  01:00am to 12:14pm
Sunday:  01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order:     4
Name:           users
Description:    Normal users
Action:         allowed
Tag:
Risk:           1
Membership:     Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s):    build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description:   Common UNIX Commands
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/usr/bin/cat *                  executes: /usr/bin/cat *
/usr/bin/find *                 executes: /usr/bin/find *
/usr/bin/more *                 executes: /usr/bin/more *
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/usr/bin/ln *                   executes: /usr/bin/ln *
/usr/bin/id                     executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description:     Working Week
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  none
Sunday:  none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no

Example

Level 4 report with "command" filter
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:26
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description:   Common Superuser Commands
/usr/bin/mount *                executes: /usr/bin/mount *
Command Group: User Commands
Saturday:  01:00am to 12:14pm
Description:   Common UNIX Commands
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/usr/bin/cat *                  executes: /usr/bin/cat *
/usr/bin/find *                 executes: /usr/bin/find *
/usr/bin/more *                 executes: /usr/bin/more *
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/usr/bin/ln *                   executes: /usr/bin/ln *
/usr/bin/id                     executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description:     Any Time
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  01:00am to 12:14pm
Sunday:  01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order:     4
Name:           users
Description:    Normal users
Action:         allowed
Tag:
Risk:           1
Membership:     Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s):    build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description:   Common UNIX Commands
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/usr/bin/cat *                  executes: /usr/bin/cat *
/usr/bin/find *                 executes: /usr/bin/find *
/usr/bin/more *                 executes: /usr/bin/more *
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/usr/bin/ln *                   executes: /usr/bin/ln *
/usr/bin/id                     executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description:     Working Week
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  none
Sunday:  none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no``Level 4 report with "command" filter
======================================================================
Endpoint Privilege Management for Unix and Linux Role Based Policy Entitlement Report - Level 4
----------------------------------------------------------------------------
Date/Time: 2018-06-18 09:09:26
User: *
Belongs to the following Roles:
Admin,users
======================================================================
Role Order:     1
Name:           Admin
Description:    Super users and admins
Action:         allowed
Tag:
Risk:           1
Membership:     Admins
Submit Host(s): Any PBUL Host
Run Host(s):    Any PBUL Host
Commands may be executed as user(s): root,admin,user*
Please use the '-u' flag to select user at run time.
eg: pbrun -u runuser command [arguments]
User may request the following commands using pbrun:
Command Group: Admin Commands
Description:   Common Superuser Commands
/usr/bin/mount *                executes: /usr/bin/mount *
Command Group: User Commands
Saturday:  01:00am to 12:14pm
Description:   Common UNIX Commands
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/usr/bin/cat *                  executes: /usr/bin/cat *
/usr/bin/find *                 executes: /usr/bin/find *
/usr/bin/more *                 executes: /usr/bin/more *
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/usr/bin/ln *                   executes: /usr/bin/ln *
/usr/bin/id                     executes: /usr/bin/id
Date and Time restrictions for Role 'Admin':
Time/Date Group: Any Time
Description:     Any Time
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  01:00am to 12:14pm
Sunday:  01:00am to 12:14pm
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: yes
Extended Script Policy: no
Custom accept/reject message: no
======================================================================
Role Order:     4
Name:           users
Description:    Normal users
Action:         allowed
Tag:
Risk:           1
Membership:     Users
Submit Host(s): build.company.com,nfs.company.com,staging.company.com
Run Host(s):    build.company.com,nfs.company.com,staging.company.com
Commands will execute as user: user*
User may request the following commands using pbrun:
Command Group: User Commands
Description:   Common UNIX Commands
/usr/bin/ls                     executes: /usr/bin/ls
/usr/bin/ls *                   executes: /usr/bin/ls *
/usr/bin/cat *                  executes: /usr/bin/cat *
/usr/bin/find *                 executes: /usr/bin/find *
/usr/bin/more *                 executes: /usr/bin/more *
/usr/bin/rm *                   executes: /usr/bin/rm -i $*
/usr/bin/ln *                   executes: /usr/bin/ln *
/usr/bin/id                     executes: /usr/bin/id
Date and Time restrictions for Role 'users':
Time/Date Group: Working Week
Description:     Working Week
Monday:  01:00am to 12:14pm
Tuesday:  01:00am to 12:14pm
Wednesday:  01:00am to 12:14pm
Thursday:  01:00am to 12:14pm
Friday:  01:00am to 12:14pm
Saturday:  none
Sunday:  none
Additional Role Options:
Additional Authentication Required: no
Session Recording Enabled: no
Extended Script Policy: no
Custom accept/reject message: no

Change management events

There are two different approaches to maintaining the Role Based Policy database. The first, simple method is to access the tables using pbdbutil at the command line. Each change is individual, instantaneous, and live immediately. Although for smaller organizations this is adequate, larger organizations have a more controlled procedural access method.

Role Based Policy database change transactions can be enabled using the settings rbptransactions. Once enabled, before changes can be made, the administrator must begin a change transaction, specifying a reason why the change is being made. This is logged and the whole Role Based Policy database is then locked for update. Only that administrator can continue to make changes.

These changes will NOT be mirrored in the live authorization process and can continue to be made by that administrator alone, and when completed can be committed or rolled back. Once the changes are committed they are all applied to the database as one update, and a change management event is generated. If the changes are rolled back, they are discarded and nothing changes.

ℹ️

Note

If a change transaction is begun, and the administrator leaves it open and fails to close the transaction, any other administrator with access can force the rollback of the changes. This requires specifying a reason, and logs a change management event. The change transactions are necessary once the GUI policy updates are implemented to force database integrity.

To enable the logging of change management events, each client needs to configure the pb.setting changemanagementevents yes, log servers need to define eventdb , and the REST pbconfigd service must be running.


©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.