11-30-2018 02:12 AM
We need to provide root access to technical users to perform application setup.
we would like to check any feasibility to to provide previlege access to user with DZDO and this access should be revoked after certain time.
Suppose if we provide root access to a technical user through DZDO, the previlege access should be expired after 7 days or 10 days.
11-30-2018 06:02 AM
Welcome to Centrify.
Absolutely doable. dzdo is an enhanced version sudo to leverage Centrify DirectAuthorize data in the zone in AD.
It was designed to support temporary access controls. The concepts to understand are these:
In UNIX-like systems, Roles consist of PAM acesss rights (how the user accesses the system) and commands (executed by using dzdo). Roles can be time-bound (e.g. rights effective at a certain day/time). Role assignments (the association of a role to a user or group principal) can be time-scoped. See screenshots below:
Role assignments can happen manually, programmatically or based on AD group membership.