Recognize a Login Event
does not treat all attempts to change the user ID of a process as login events. Usually a program attempts to change its user ID with a setuid system call. The SURROGATE class controls these events, which are not necessarily considered login events. These events do not necessarily change the user identity from the point of view of .
capamsc141
Privileged Access Manager
does not treat all attempts to change the user ID of a process as login events. Usually a program attempts to change its user ID with a setuid system call. The SURROGATE class controls these events, which are not necessarily considered login events. These events do not necessarily change the user identity from the point of view of Privileged Access Manager
.Privileged Access Manager
always preserves the original user identity-the identity with which the user logged in initially. Ordinary setuid system calls do not cause Privileged Access Manager
to register a change in user identity.For
Privileged Access Manager
to recognize the identity change, it must recognize this event as a login event. The product recognizes login events using the following rules:- The program that attempts to change the identity is defined as alogin program. All programs in the LOGINAPPL class are login programs.
- The program executes a series of system calls corresponding to its definition in the LOGINAPPL class.
When you begin an administration session (in selang or
Privileged Access Manager
Endpoint Management), Privileged Access Manager
performs a dummy login event. This event is not a true login; rather, Privileged Access Manager
performs certain internal checks, which are similar to log in checks. For more information, see the SEQUENCE property for the LOGINAPPL class in the
selang Reference Guide
.At the start of an administration session, the user name is checked in the machine to be administered. You get access to this machine for administration only if you have WRITE access for the terminal from which you perform the session.
For example, if you are logged in to host Minerva and would like to administer
Privileged Access Manager
on host Artemis, two conditions are necessary:- A TERMINAL object called Minerva (or the relevant fully qualified name) is in the database record for Artemis.
- You are listed in the ACL of this object with WRITE permission.
These conditions are checked before any other user authority check. You also need administrative authority in the database.