To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Privilege Manager.
Displaying profile-based policy debug information
Enabling program-level tracing
To view debug information for profile-based policy, set the value for the pf_tracelevel variable either globally in global_profile.conf, or in an individual profile.
To set the pf_tracelevel variable in the profile
# Variable: pf_tracelevel: Enables tracing/debugging output at different levels: # 1:show reason for reject, 2: verbose output, 3: show debug trace pf_tracelevel=2;
$ pmrun id ******************************************************************** ** One Identity Privilege Manager for Unix Version 6.0.0 (006) ** ** This request is being authorized on master :<HostName> ** User "luser" has submitted a request from host "<HostName>" ** to run the command "id" ******************************************************************** User : luser Host : <HostName> Command : id * Check profile:profiles/admin.profile ** Profile:admin does not match user ** Profile:admin does not match UNIX group ** Profile:admin does not match AD group list * Check profile:profiles/demo.profile ** Validate command:id ** Profile:demo cmd[0] matches command:id Request accepted by the "demo" profile All interactions with this command will be recorded in the file: /var/opt/quest/qpm4u/iolog/demo/luser/id_20121023_1038_qu3zcf Executing "id" as user "root" ... ******************************************************************************** uid=0(root) gid=0(root) groups=0(root)
Technical Support may ask you to create a trace file when you run a program by using the -z option. The -z option enables tracing on a specific program or currently running process.
To display program-level tracing
# <CommandName> -z on
The -z option creates a <CommandName>.ini file which then creates a <CommandName>.trc file when you run the command. The .trc file contains the debug information. Both the .ini and the .trc files are created in the /tmp directory.
pmloadcheck is both a command and a background daemon (run with the –i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmloadcheck from a policy server or PM Agent.
When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmloadcheck is responsible for keeping the production policy file up to date.
|
NOTE: |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy