Set the Privilege Elevation for UNIX Target Accounts

For target accounts associated with UNIX target applications, you can configure the Privilege Elevation setting. This setting determines which privilege elevation capabilities the account has on the target server. How you configure this setting impacts whether password synchronization works. 
capam32
For target accounts associated with UNIX target applications, you can configure the 
Privilege Elevation
 setting. This setting determines which privilege elevation capabilities the account has on the target server. How you configure this setting impacts whether password synchronization works. 
On the UNIX tab of the target account, select one of the following options for the given account.
The descriptions assume that the privilege elevation command is 
sudo
and the password change command is
passwd
.
  • Do not use elevated privileges
    :  Select this option for an account that is not allowed to run sudo commands on the target server. When the user of the account tries to change its own password, the user must provide the current password first. Accounts without privilege elevation cannot update passwords of other accounts.
  • Use elevated privileges
    : Select this option for an account that is allowed to run sudo commands without providing its own password to sudo. This use case applies for an account with the "NOPASSWD" flag set in the /etc/sudoers file. The NOPASSWD flag is considered insecure and not recommended. Such accounts can change passwords of other accounts, including the root account.
  • Use elevated privileges with authentication
    : Select this option for accounts that can run sudo commands but must provide a password. Before a command is executed, the sudo command prompts the account user for a password. This behavior is the recommended sudo option. Such accounts can change passwords of other accounts, including root.
  • This account is a root account
    : Select this option for accounts that need no privilege elevation. Such accounts can change their own password without having to provide the current password first. These accounts also can change passwords of other accounts without the use of the sudo command. Beginning with release 3.0.3, if you select this option, the default script does not invoke the sudo command.