The first policy server you configure is the primary policy server which holds the master copy of the policy file. Additional policy servers configured in the policy group are secondary policy servers. The primary policy server and any number of additional secondary policy servers share a common policy. Adding secondary policy servers to a policy group allows you to load-balance the authorization requests on the policy servers.
To configure a primary policy server
From the All Hosts view, open the Join or Configure tool bar menu and navigate to Configure Policy Server | As Primary Policy Server....
On the Configure Primary Policy Server dialog,
Enter a policy group name in the text box.
|
Note: When the configuration is complete, this new policy group will be automatically configured and activated in the Privilege Manager system settings. (See Configure a Service Account for details.) |
Choose the policy type: either sudo policy type (Privilege Manager for Sudo) or pmpolicy type (Privilege Manager for Unix).
(See Managing Security Policy for more information about the policy types.)
Click Advanced to import an existing policy and/or a license file.
If you configure Privilege Manager for Sudo using the default sudo policy type, Privilege Manager uses a copy of the /etc/sudoers file as its initial security policy if the file exists, otherwise it creates a generic sudoers file.
|
Note: When you join a Sudo Plugin to a policy server, Privilege Manager for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers. ## ## WARNING: Sudoers rules are being managed by QPM4Sudo ## WARNING: Do not edit this file, it is no longer used. ## ## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules. ## When you unjoin the Sudo Plugin, Privilege Manager for Sudo removes those lines from the local sudoers file. |
If you configure Privilege Manager for Unix using the pmpolicy type, Privilege Manager creates a profile-based (or role based) policy. This security policy simplifies setup and maintenance through use of easy-to-manage profile (or role) templates.
In the Import policy data from box, enter a path to the policy data to override the default and import the initial security policy from the specified location.
For example, enter
/tmp/pmpolicy/pm.conf
In the Import license file from box, click Browse to select a product license file from the local file system.
You can skip this step initially. Privilege Manager comes with a 30-day trial license. After 30 days, Privilege Manager continues to allows you to run ten Sudo Plugin clients without a license, but requires a license for the PM Agents. (See Software & Licenses for details.)
Enter the pmpolicy service account password in the Join Password box.
|
Note: You will use this password when you add secondary policy servers or join remote hosts to this policy group. |
Select the Join agent or plugin to policy group option if you want to join primary policy server to the policy group at this time.
When you join a policy server to a policy group, you are indicating which policy group you want to use for policy verification. That is, you are enabling that host to validate security privileges against a single common policy file located on the primary policy server, instead of a policy file located on the local host.
|
Note: Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group. |
You can join the agent or plugin to the policy group later. (See Join the Host to a Policy Group for details.)
On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.
This information is pre-populated if you saved the credentials for the host.
When you join a host to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.
|
Note: To join a host to a policy group, the host must meet all of these conditions:
Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group. |
To join a host to a policy group
From the list on the All Hosts view, select one or more hosts that have the Privilege Manager software installed, open the Join or Configure tool bar menu, and choose Join to Policy Group.
|
Note: The Join to Policy Group option is enabled when you select hosts that have the Privilege Manager software installed and are not already joined to a policy group. The tool bar button will not be active if
|
On the Policy Group tab,
Select the policy group to use for the policy verification.
The Policy group drop-down menu lists the configured policy groups with the policy server type in parenthesis, either pmpolicy or sudo.
Enter the pmpolicy service account password in the Join password box.
|
Note: The Join password is the password for the pmpolicy service account that was set when you configured the primary server. (See Configure the Primary Policy Server for details.) |
On the Failover tab,
Set the failover parameters, if you desire, and click OK.
|
Note: If you set the failover parameter to random order, Privilege Manager ignores the ordering of the policy servers. |
Set the default policy server failover order within the policy group by ordering the hosts in the Policy Server list using the up and down arrows.
Where there are two or more policy servers, Privilege Manager connects to the next available server when it cannot make a connection to a policy server.
|
Note: To change the failover order, unjoin the host from the policy group and then rejoin it using new settings. |
On the Log onto Host dialog, enter the user credentials to access the selected host(s) and click OK.
|
Note: This task requires elevated credentials. The mangement console pre-populates this information if you saved the credentials for the host. |
The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.
When you unjoin a host from a policy group, the host will no longer check for privileges against the policy in the policy group.
To unjoin host(s) from the policy group
|
Note: This task requires elevated credentials. |
The primary policy server is always the first server configured in the policy server group; secondary servers are subsequent policy servers set up in the policy server group to help with load balancing. The "master" copy of the policy is kept on the primary policy server.
All policy servers (primary and secondary) maintain a working copy of the security policy stored locally. The initial working copy is initialized by means of a checkout from the repository when you configure the policy server. Following this, the policy servers automatically retrieve updates as required.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy