Create and Assign Sudo Entitlements

By default, Unix Operating systems provide two roles to users: Base-Users and Admins. Sudo Entitlements allow Admins to take advantage of much more granular permissions levels available from Linux Systems, enabling them to use certain sudo commands without granting them the level of controls that Admins hold. This offers Advanced Server Access Admins a system of layered permissions, allowing you to specify exact commands for your users to run.

Create Sudo Entitlements

  1. Click the Entitlements tab on the part of the Advanced Server Access Dashboard

  2. Click Add Sudo Entitlement

  3. Fill in the Name and Description fields for your Sudo Entitlement

  4. In the Command field, type the specific command you want to create for your Sudo Entitlement.

    Note: Rules concerning Sudo Entitlement Commands can be found below.

Bind Sudo Entitlements to Groups

  1. Navigate to the Projects tab in the Advanced Server Access dashboard.

  2. Once you are in your project's Dashboard, click on the GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. tab within that project's console.

  3. Click on the name of the Group that you want to grant a Sudo Entitlement.

  4. Once you're on your Group's page, click the Add Sudo Entitlement Binding button.

  5. Choose your Entitlement from the dropdown list, and then click Submit

Sudo Entitlement Rules

Each Sudo Entitlement can be one of three different command types: 

  • Raw
  • Directory
  • Executable

Sudo Entitlements also follow a set of rules:

  • Only Advanced Server Access administrators are allowed to create sudo entitlements
  • Each entitlement needs to consist of at least one command
  • Commands of the raw and directory types cannot allow additional arguments to be specified.
  • The entitlement name accepts any alphanumeric character except spaces
  • The entitlement description accepts any alphanumeric character
  • Commands of the raw type accept any input
  • Commands of the directory type accept any legal UNIX directory defined by a string beginning and ending with either a / character, or the / character alone.
  • Commands for the executable type accept any legal UNIX path defined only by a string beginning with a / character

Generally, custom arguments accept any input as long as the input follows Bash syntax, and not Sudoers syntax. There are also three ways in which arguments can be specified. Either there are no arguments, meaning that the command can be run on its own, any arguments, meaning that any arguments can be run with the command, or custom arguments, meaning that the command can only be run with specific arguments set by the Advanced Server Access administrator.

Top