The default configuration for the pmpolicy type is a profile-based security policy, which consists of several files. The main policy code resides in the global_profile.conf and profileBasedPolicy.conf files. One Identity recommends that you do not enter customized code in these files because it will impact the effectiveness and accuracy of the reports produced by Management Console for Unix. Instead, One Identity recommends that you use the profiles to affect changes in policy.
Best practice suggestion: Create custom code in profile_customer_policy.conf.
If you configure Privilege Manager for Unix using the pmpolicy type, pmsrvconfig creates a group of default profile-based policy files that you can customize to define which commands you want to allow your users to run. This provides a convenient way to experience the benefits of Privilege Manager for Unix while familiarizing yourself with the basics of policy scripting. The default security policy is made up of four sample profiles (admin, demo, helpdesk, webadmin) and three shell profiles (root, restricted, qpm4u_login).
These profiles are enabled by default:
These profiles are disabled by default:
These profiles provide additional examples of how to create and configure profiles. They are disabled by default to prevent the granting of unwanted access.
In addition, available shell profiles are also included in the /profiles/shellprofiles directory that permit the users to run specified shell programs.
These shell profiles are enabled by default:
This shell profile is disabled by default:
The profiles and shell profiles allow for easy management of your policy, but the core of the policy is included in other policy files. The following table briefly describes the files that are used in the profile-based policy.
File | Description |
---|---|
pm.conf | Main policy file.
includes: global_profile.conf, profileBasedPolicy.conf included by: NONE Do not put custom code in this policy file. |
global_profile.conf | Defines default global variables. Also includes extensive comments documenting the variables.
includes: NONE included by: pm.conf Do not put custom code in this policy file; however, you may change the default settings. |
profileBasedPolicy.conf |
Primary decision making policy file for the profile-based policy. (Not meant to be edited by customers.) includes: profile_customer_policy.conf, *.profile, *.shellprofile included by: pm.conf Special hook functions defined in profile_customer_policy.conf are called from this policy file. |
profile_customer_policy.conf | Custom policy file for customer-defined global variables and policy code. You can modify special hook functions to run custom policy code at certain points in the profile evaluation:
includes: NONE included by: profileBasedPolicy.conf You can create custom policies in this file. However, custom policies may affect the accuracy of the reports generated in Management Console for Unix. See The Privilege Manager for Unix Security Policy. |
*.profile in profiles directory |
Profile configuration file for allowing certain commands to be run by pmrun.
includes: NONE included by: profileBasedPolicy.conf Do not put custom code in this policy file. |
*.shellprofile in profiles directory |
Profile configuration file for interactive Privilege Manager for Unix shells (including wrapped shells). includes: NONE included by: profileBasedPolicy.conf |
Profiles and shell profiles only contain variable assignments that are used in the policy decision making.
When evaluating the profile-based policy, the policy server must first determine which of the profiles match the incoming request. The policy uses the Who, What, Where, and When criteria specified in the profiles to determine a match. Note that the filename used for the profile is significant. The policy checks each of the profiles sequentially, in lexical order until a match is found. Once the a profile is selected, the remaining profiles are not evaluated.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center