Customization example - pf_forbidusers list
This example demonstrates how to create a new profile variable, pf_forbidusers, that you can use in any profile or shell profile. The customization will cause the profile selection to fail when the user is in the pf_forbidusers list, even if the user matches pf_authusers. This would allow you to blacklist specific users from any profile or shell profile.
The following is an updated profile_customer_policy.conf file indicating the modifications in bold.
############################################################################
# One Identity Privilege Manager for Unix Profile Policy V600 (XXX)
# One Identity 2013
#
# Sample Default Policy Generated for QPM4U
#
# This policy is included by file: profileBasedPolicy.conf
#
# This allows customization at certain points while reading profiles. The
# following functions are provided:
# - fn_log_and_accept_custom
# - fn_custom_profile_init
# - pr_custom_profile_reset
# - fn_customer_init
############################################################################
# custom profile variables
pf_forbidusers={};
#########################################################################
# FUNCTION: fn_log_and_accept_custom
#
# This function is called by pr_log_and_accept to do any
# customer-specific actions required, just before accepting the request.
#
#########################################################################
function fn_log_and_accept_custom()
{
return true;
}
#########################################################################
# FUNCTION: fn_custom_profile_init
# Do any custom config required for a profile.
# This is called after matching user/group to a profile,
# but before checking anything else.
#########################################################################
function fn_custom_profile_init()
{
if (user in pf_forbidusers)
return false;
return true;
}
########################################################################
# PROCEDURE: pr_custom_profile_reset
# Reset any custom variables after processing a profile
#########################################################################
procedure pr_custom_profile_reset()
{
#reset these for each profile read
pf_forbidusers={};
return;
}
#########################################################################
# FUNCTION: fn_customer_init
# Do any custom config required for the policy
# This is called before processing any profiles.
#########################################################################
function fn_customer_init()
{
return true;
}
The initial definition of the variable (pf_forbidusers={};) is near the top of the file. In order to be globally accessible, the variable must be defined outside of any function or procedure call. The same statement is also in the pr_custom_profile_reset() procedure so that the variable is reset before a new profile (or shell profile) is read. Finally, some code was added to fn_custom_profile_init() to return false if the user is listed in the variable.
If you add the following to the demo profile, user jbloggs would no longer be able to successfully run pmrun id using that profile:
pf_forbidusers={"jbloggs"};
Policy scripting tutorial
This section introduces you to the basics of policy scripting through a series of seven semi-interactive lessons. However, before you begin, please note: One Identity assumes you:
- have Privilege Manager for Unix installed successfully
- are running Privilege Manager for Unix with the pmpolicy type
The first seven lessons introduce you to some of the simpler constructs and capabilities of Privilege Manager for Unix's policies. Each lesson is designed to allow you to run the policy files on your own test system, with minimal changes, enabling you to learn the basics of policy scripting quickly.
Following the seven basic lessons are three advanced lessons designed to extend your knowledge and understanding of creating policies.
Install the example policy file
Before you start the lessons, you must install the example policy file. This procedure instructs you to create a temporary directory and then use the pmpolicy command with a checkout sub-command to checkout the current policy into the temporary directory you just created.
To install the main example policy file
- Create a temporary directory:
# mkdir /tmp/policy
- Checkout the current policy:
# /opt/quest/sbin/pmpolicy checkout -d /tmp/policy
** Validate options [ OK ]
** Checkout to /tmp/policy/policy_pmpolicy
** Create directory [ OK ]
** Check out working copy [ OK ]
** Copy files [ OK ]
** Perform syntax check [ OK ]
- Change to the temporary directory:
# cd /tmp/policy/policy_pmpolicy
- Run the pmpolicy masterstatus command and note the current revision number.
#pmpolicy masterstatus
** Validate options [ OK ]
** Report details of production copy
** Check out working copy (HEAD revision) [ OK ]
** Check if directory contains a working copy [ OK ]
- Directory contains an svn working copy:/var/opt/quest/qpm4u/pmpolicy/.scratch/._29076
** Check current status of working copy [ OK ]
** Report details of production copy [ OK ]
- Production Policy File : /etc/opt/quest/qpm4u/policy/pm.conf
- Checked out at : 2012-11-30 16:23
- Current Revision : 1
- Latest Trunk Revision : 1
- Locally modified : NO
-
Copy the main example policy into place:
# cp /opt/quest/qpm4u/examples/pm.conf pm.conf
cp: overwrite `pm.conf'? y
Policy file
This is the main policy file that Privilege Manager for Unix uses to drive through the lessons.
The other sample policy files for the lessons are also in the examples directory:
/opt/quest/qpm4u/examples/example1.conf
/opt/quest/qpm4u/examples/example2.conf
/opt/quest/qpm4u/examples/example3.conf
/opt/quest/qpm4u/examples/example4.conf
/opt/quest/qpm4u/examples/example5.conf
/opt/quest/qpm4u/examples/example6.conf
/opt/quest/qpm4u/examples/example7.conf
/opt/quest/qpm4u/examples/example8.conf
/opt/quest/qpm4u/examples/example9.conf
/opt/quest/qpm4u/examples/example10.conf
- Use the commit sub-command to start using the policy:
# pmpolicy commit -d /tmp/policy
** Validate options [ OK ]
** Commit copy in directory:/tmp/policy/policy_pmpolicy
** Check directory [ OK ]
** Perform syntax check [ OK ]
** Verify files to commit [ OK ]
Please enter the commit log message: example pm.conf
** Commit change form working copy [ OK ]
** Committed revision 2
- When you are finished with the examples, revert the original main policy file, as follows:
# pmpolicy revert -r 1
** Validate options [ OK ]
** Revert to revision:1
** Check out working copy (trunk revision) [ OK ]
** Check out working copy (revision 1) [ OK ]
** Check required revision [ OK ]
** Get file list for trunk [ OK ]
** Get file list for selected revision [ OK ]
** Copy file:pm.conf [ OK ]
** Perform syntax check [ OK ]
** Verify files to commit [ OK ]
Please enter the commit log message: revert to original
** Commit change from working copy [ OK ]
** Committed revision 3
See Main policy configuration file to see the example policy file used in these lessons.
Create test users
For each lesson in this hands-on tutorial, you are required to log on as root and then switch to a test user. Then, at the conclusion of each lesson, switch back to root to get ready to start the next lesson.
To work through these lessons, you need to create users called demo, dan, and robyn on your test system, as the policy file is based around these default users.
To create the test users
- Log in to your test system as the root user.
- Create the demo, dan, and robyn test users to use during the lessons.