Enable and Configure Role-Based Policy

Before continuing the deployment, you must first configure policy.

This can be done after deployment is complete, but with it in place, this policy is immediately synced when the secondary is in place, rather than be re-synced later.

  1. On the left side menu, click Policy.
  2. Using the filtering options (or from the list), select a server (host).
  3. At the right of the server hostname row, click the ellipsis menu icon, and then select Server Details.

In the Registry Name Service (RNS) deployments, you only write changes to primaries. If you had chosen a secondary, the policy would not be available for editing.

Enable RBP

To enable RBP, click the Settings & Configuration tile.

Click the Quick Actions dropdown and select Configure Endpoint Privilege Management for Unix and Linux Settings.

The Policy Mode can be switched by clicking the blue Enable Role Based Policy button.

On the Endpoint Privilege Management for Unix and Linux Policy Settings page, click Enable Role-Based Policy.

 

Configure RBP

The Policy tile allows you to manage EPM-UL Role and Script Based Policies.

After you swap modes, select Server Details at the top of the page to configure a policy. Click the Policy tile to access more options.

 

Add Command Group

Click the What tile to add and edit command groups.

Command groups are added when the user wishes to designate a list of commands that are allowed or rejected for a specific set of users.

To add a command group:

  • From the available tiles, click the What tile to move to the Command Groups page.
  • In the Command Groups grid, click Add Command Group to reveal the Command Groups card.

 

Enter information in the Command Group panel.

  • With the Command Groups card revealed, type the desired command group name into the Command Group Name field, as well as any command group description you may want to add into the Command Group Description.
  • In the Change requested by [loggedInUserName] field, enter a reason for the assignment or change.
  • Click Save to confirm your changes.

Commands are added to a Command Group by entering each item under the Commands section.

  • To delete an individual command, click the Delete icon beside the command.
  • Otherwise, to delete an entire command group, click the Delete button that appears after a command group has been created.

 

For example, a user may wish to add a list of basic commands consisting of ls, date, whoami, and id. Create a command group called Basic Commands, and add each of the previous commands to the command group.

Create New Users

Users and User Groups determine who the role will be applied to.

Next, you must choose users and add a new secure user.

To create a new user:

  • At the top of the page, select Role Based Policy to navigate back to the RBP grid, and then select the Who tile.
  • In the Users grid, click Add User / Group to reveal the dropdown menu.
  • There are multiple types of user-creation options available to choose from, but for this guide select the Secure User option.

 

Select the Users and Groups option to freely enter a username in the Username field.

With the Users and Groups card revealed, type the desired username into the field, as well as any description you want to add into the Description field, and click Save Changes.

  • Names entered into the Username field are entered freely.
  • The username is now visible in the Users grid.

A username can be edited or deleted at any time by left-clicking the username in the Users grid.

 

Create New Roles

Enter information in the Roles panel to apply and modify roles that define core policy behavior.

Finally, create a new Role. Make sure to use root as the run user and the command group for your commands.

To create a new role:

  • At the top of the page, select Role Based Policy to navigate back to the RBP grid, and then select the Roles tile.
  • From the Roles grid, click Add Role to reveal the expanded Roles card.
  • Create a new role-based policy role, and then click Create to finalize your changes.