The best way to allow Central Policy Manager (CPM) to manage root accounts on UNIX/Linux systems, while following best practices of denying SSH access to root accounts, is to create a privileged account on the target server. This account should be allowed to SSH directly from the CPM machine and then configured as the Reconcile account of the target server's root account. This ensures that root privileges are indirectly managed through a secure intermediary account, maintaining the security policy of not allowing direct root SSH access.