Get Started Using the Privilege Management for Unix and Linux Interface

The Privilege Management for Unix and Linux browser interface is a web-based GUI that provides a user-friendly alternative to administering Privilege Management for Unix and Linux from a Unix/Linux command line. The GUI enables you to easily modify the settings file, view event records from the event log, replay I/O logs, and create and modify policy files.

There are two ways to access the GUI:

  • Directly, by using the browser interface URL in a web browser. This method is known as stand-alone access.
  • By clicking a Privilege Management for Unix and Linux instance on the Privilege Management for Unix and Linux Console menu. The Privilege Management for Unix and Linux browser interface is displayed within the Privilege Management for Unix and Linux Console user interface.

The Privilege Management for Unix and Linux Console is a web application that provides an easy-to-use and centralized console for managing Privilege Management for Unix and Linux and includes advanced tools for reviewing and administering Privilege Management for Unix and Linux logs.

Prerequisites

The GUI is compatible with the following browsers beginning with the indicated versions:

  • Opera 8.5+
  • Mozilla 1.7+
  • Firefox 1.5+
  • Netscape 7.1+
  • Internet Explorer 6.0+

The browser must have JavaScript, cascading style sheets, and pop-ups enabled. The suggested monitor display settings are 1024 x 768 pixels or higher.

Before users can use stand-alone access to the GUI, the Privilege Management for Unix and Linux Policy Server host must be configured to allow access to pbguid. Update the policy file (either opt/pbul/policies/pb.conf or a policy file that is included in /opt/pbul/policies/pb.conf) to limit access to the various activities to specific users or groups.

browseusers = { "chris" };
settingsusers = {"kim"};
logusers = {"kim", "chris"};
iologusers = { "kim" };
policyusers = { "admin" };
policysaveusers = { "admin" };
reportusers = { "admin", "kim", "chris" };
configusers = { "admin" };
reportinfousers = { "admin", "kim" };
reporteditusers = { "admin", "chris" };
reportsaveusers = { "admin", "chris" };
reportexecuteusers = { "admin", "kim" };
entitlementinfousers = { "admin", "kim" };
entitlementusers = { "admin", "kim", "chris" };
entitlementeditusers = { "admin", "chris" };
entitlementsaveusers = { "admin", "chris" };
entitlementexecuteusers= { "admin", "kim" };
 
if (pbclientname == "pbguid") {
if ((argv[1] == "settings") && (user in settingsusers))
accept;
 
if ((argv[1] == "log") && (user in logusers))
accept;
 
if ((argv[1] == "iolog") && (user in iologusers))
accept;
 
if ((argv[1] == "browse") && (user in browseusers))
accept;
 
if ((argv[1] == "policy") && (user in policyusers))
accept;
 
if ((argv[1] == "save") && (user in policysaveusers))
accept;
 
if ((argv[1] == "report") && (user in reportusers)) {
if(argc > 2) {
# Restrict access to edit a report set file
if((argv[2] == "edit") && (user ! in reporteditusers))
reject;
 
# Restrict access to save a report set file
if((argv[2] == "save") && (user ! in reportsaveusers))
reject;
 
# Restrict access to execute a report set file
if((argv[2] == "exec") && (user ! in reportexecusers))
reject;
 
# Restrict access to get info from a report set file
if((argv[2] == "info") && (user ! in reportinfousers))
reject;
}
accept;
}
if ((argv[1] == "defaults") && (user in configusers))
accept;
 
if ((argv[1] == "entitlement") && (user in entitlementusers)) {
if (argc > 2) {
# Restrict access to edit a report set file
if((argv[2] == "edit") && (user ! in entitlementeditusers))
reject;
 
# Restrict access to save a report set file
if((argv[2] == "save") && (user ! in entitlementsaveusers))
reject;
 
# Restrict access to execute a report set file
if((argv[2] == "exec") && (user ! in entitlementexecusers))
reject;
 
# Restrict access to info from a report set file
if((argv[2] == "info") && (user ! in entitlementinfousers))
reject;
} accept;
}
 
reject;
}
As an alternative, you can use the following code to enable access to all activities for the admin user:
if ((pbclientname == "pbguid") && (user == "admin"))
accept;
else
reject;

For more information about the values of argv[1] and argv[2] for the browser interface program, please see the Privilege Management for Unix and Linux Administration Guide.