I use PowerBroker a lot and I'm very fond of it. (I also use PowerPassword -- another Symark product -- and I don't like it nearly as much.)
PowerBroker is very capable. I can set it up so that certain users have access to certain accounts on certain machines, but only on certain days or only for certain commands. I can make it so that you operate as a particular user, particular group, with a particular home directory, certain startup files, etc., etc. In addition, it does keystroke-by-keystroke logging so I can go back after the fact and review a session and see what the user typed and what they saw. Of course, that doesn't help much if all they do is launch a gui session, but then neither will any of the other solutions. The logging and management are done on (one or more) central server(s), so you can make it so that the users can't modify the logs after the fact to hide their activities. I rate the product very highly, but I would say that for a small environment I wouldn't bother with it -- I'd just use sudo -- unless I required that degree of logging and protection of logs. Oh, and sudo is free while PowerBroker is not. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai Sent: Tuesday, September 19, 2006 2:01 AM To: [email protected] Subject: Re: root group in solaris : Tools What is the suggestion on using a tool like Powerbroker from Symark. The tool claims to centralise the "sudo" function and also provide logging? Does anyone have feedback on this tool or any other third party tool in the same space? On 9/19/06, Suzanne Widup <[EMAIL PROTECTED]> wrote: > Have you looked at implementing sudo? It's a root delegation tool and > would give you some better accountability as to what people are doing. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of dubaisans dubai > Sent: Monday, September 18, 2006 5:50 AM > To: [email protected] > Subject: root group in solaris > > Hi, > > I would like to give root user privileges to a set of OS administrators. > Everyone has individual user-ids on the system. > Currently they login with their personal ID and then SU to root. I > donot want to share root password with these many people. > > I am thinking of adding all these users to the "root" group[GID 0]. > Will it provide root-equivalent UID O access to these users. If not > why ? Does the "root" group not have root user-id equivalent privileges? > > Is it possible manually to make the GID 0 privileges equivalant of UID > O? > > How else can I give these individual users root privileges - make all > of them UID 0 or something.? Is that a smart idea? > > I am looking at something simpler than SUDO or RBAC > > > "MMS <safeway.com>" made the following annotations. > ---------------------------------------------------------------------- > -------- > Warning: > All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. > > ====================================================================== > ======== > >
