The security policy lies at the heart of Privilege Manager. It stipulates which users may access which commands with escalated privileges. Privilege Manager guards access to privileged functions on your systems according to rules specified in the security policy.
Privilege Manager for Unix supports two security policy types:
Management Console for Unix gives you the ability to centrally manage policy located on the primary policy server. You view and edit both types of policy from the Policy tab on the mangement console.
|
Note: To manage policy, you must log in either as the supervisor or an Active Directory account with rights to edit the policy file; that is, an account in the Manage Sudo Policy or Manage PM Policy roles. |
To open a policy
To use the Sudo Policy Editor or the PM Policy Editor, you must first add and profile a Privilege Manager policy server, configure the service account, and activate the policy group in the mangement console. (See Activate Policy Groups for details.)
|
Note: If it does not open, see Java Applet Failures for information about troubleshooting policy editor issues. |
|
Note: See Edit Panel Commands for more information about editing the policy in the text editor. |
The policy is saved as a new version.
To revert back to a specific version of the policy file
The policy file is saved as a new version; not as the version number that you opened.
You can make changes to the policy in the text editor by either typing in changes or using the commands in the Edit panel to insert, copy, or paste text; check for errors; or disable/enable syntax highlighting.
As you edit a policy, the Errors pane lists syntax errors by line and column number. You can double click an error to navigate directly to the line containing the error.
To use the commands in the Edit panel to modify the policy file
Open the Insert menu and select one of these options:
|
Note: The Select AD... dialogs allow you to select a container from which to begin the search. The AD options are only available if you are logged in as an Active Directory user with rights to edit the policy file; that is, an account in the Manage Sudo Policy or Manage PM Policy role. Non-Unix-enabled groups require that you configure the Authentication Services sudo_vas group provider module. (See Configuring Sudo Access Control in the Authentication ServicesAdministration Guide for details.) |
|
Note: The Select Alias dialog allows you to filter the list of Alias names by:
|
The Edit Entries dialog allows you to insert lists of data either manually, pasted from another file, or imported from a file. Separate multiple items with commas, for example:
Fred, Ethel, Lucy
The Insert List option allows you to copy and paste a comma-delimited lists into the text box and will automatically add the list of data objects with quotes around each individual entry. For example, if you paste the following into the Add entries box:
/usr/bin/kill,/usr/bin/cp,/usr/bin/passwd,/usr/bin/head
when you click Add, the console lists the entries and puts quotes around each one, like this:
Once you have the objects listed on the Edit Entries dialog, click OK to include them in the policy.
|
Note: For more information about the Edit Entries dialog, click the help link. |
|
Note: When checking sudo policy for errors, note that the #include and #includedir directives are currently ignored by Privilege Manager for Sudo. Remove or comment out any #include or #includedir directives in your sudo policy. Error-checking of policy files that contain a #include or #includedir may generate false errors. It is safe to ignore such errors when saving the sudo policy, but it is best practice to remove or comment out such directives. |
The Errors pane is located across the bottom of the Edit Policy view and provides feedback on any syntax errors encountered when you click the Error Check button. You can double click an error to navigate directly to the line containing the error.
|
Note: Managing large policy files may affect the policy editor performance. (See Policy Editor Runs Slow for troubleshooting tips.) |
Type a text string and click Next or Previous.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy