Create and assign sudo entitlements
By default, Unix operating systems provide two roles to users: Base-Users and Admins. Sudo Entitlements allow Admins to take advantage of much more granular permissions levels available from Linux Systems, enabling them to use certain sudo commands without granting them the level of controls that Admins hold. This offers Advanced Server Access Admins a system of layered permissions, allowing you to specify exact commands for your users to run.
Create sudo entitlements
Click the Entitlements tab on the part of the Advanced Server Access Dashboard
Click Add Sudo Entitlement
Fill in the Name and Description fields for your Sudo Entitlement
In the Command field, type the specific command you want to create for your Sudo Entitlement.
Note: Rules concerning Sudo Entitlement Commands can be found below.
Bind a sudo entitlement to a group
Navigate to the Projects tab in the Advanced Server Access dashboard.
Once you are in your project's Dashboard, click on the GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. tab within that project's console.
Click on the name of the Group that you want to grant a Sudo Entitlement.
Once you're on your Group's page, click the Add Sudo Entitlement Binding button.
Choose your Entitlement from the dropdown list, and then click Submit
Sudo entitlement rules
Each Sudo Entitlement can be one of three different command types:
Sudo entitlements also follow a set of rules:
- Only Advanced Server Access administrators are allowed to create sudo entitlements
- Each entitlement needs to consist of at least one command
- Commands of the raw and directory types cannot allow additional arguments to be specified.
- The entitlement name accepts any alphanumeric character except spaces
- The entitlement description accepts any alphanumeric character
- Commands of the
rawtype accept any input
- Commands of the
directorytype accept any legal UNIX directory defined by a string beginning and ending with either a / character, or the / character alone.
- Commands for the
executabletype accept any legal UNIX path defined only by a string beginning with a / character
Generally, custom arguments accept any input as long as the input follows Bash syntax, and not Sudoers syntax. There are also three ways in which arguments can be specified. Either there are no arguments, meaning that the command can be run on its own, any arguments, meaning that any arguments can be run with the command, or custom arguments, meaning that the command can only be run with specific arguments set by the Advanced Server Access administrator.Top