Manage Privilege Management for Unix and Linux Policies

The Policy Management section allows the user to manage creating, updating, and deleting Privilege Management for Unix and Linux policies for the following:

  • Sudo
  • FIM
  • Script Policy
  • Role Based Policy
  • Privilege Manage for Networks

To manage policies, the user must select the Policy Server on which the policy resides, and then choose the type of policy they wish to manage. Hosts can be filtered by Hostname and IP Address. The Policy Server list is made of known Policy Servers with working REST connections. If a server is listed in grey, the server has an unsupported version of Privilege Management for Unix and Linux installed and should be upgraded to enable policy management.

If the host is configured as a client in the Registry Name Service, you must edit policy on the primary registry server.

Role Based vs. Script Based Policies

A Privilege Management for Unix and Linux Policy Server is either in Role Based or Script Based policy mode. A server in Role Based mode only uses role based policy and ignores all script policies. A server in Script Policy mode only uses script policies.

When accessing the Policy Management page for a selected host, the landing page indicates the policy mode the host is using: role based or script. The other policy shows as not configured. As shown in the following screen capture, you can click the configured link to go to Policy Settings and change the policy type.

Host policy management landing page in BeyondInsight for Unix & Linux

Manage Policy Server Mode

To manage a script policy on a server which is in Role Based mode, you can switch the server mode. You can also switch from Script Policy mode to Role Based mode.

Switching modes will disable the previously configured mode and policies will no longer be available to requesting clients. Policies are not removed when switching modes. This option can be changed at any time.

To manage Policy Server mode:

  1. Go to the Policy Management page.
  2. In the Hostname list, select a server entry.
  3. On the Server Details page, select Quick Actions > Configure Privilege Management for Unix & Linux Settings.
  4. In the Policy Mode section, click Enable Script Based Policy or Enable Role Based Policy to enable the preferred policy mode.

BeyondInsight for Unix & Linux Code Editor

BeyondInsight for Unix & Linux provides an editor component with a number of features to assist with writing code.

  • Syntax highlighting
  • Line numbering
  • Font size control
  • Formatting
  • Find and replace tools
  • Soft wrapping
  • Diff tool

Different toolbar options may be available based on the type of script in the editor. Most of the features are available in the toolbar, and keyboard shortcuts can also be used. The editor is used in the Policy Management section where applicable.

An image of the Script Policy Files editor and available editing options in BeyondInsight for Unix & Linux.

Using the Diff Tool

Use the diff tool to compare different versions of a policy. The policy must have change management turned on and versions of the policy must exist in the database.

To use the diff tool:

Select the Versions button to compare previous versions.

  1. Select the policy, then click the Versions toolbar button.

 

An image of the Versions option in the policy file editor, including a diff between policy file versions.

  1. Select a version to compare. The differences are calculated and highlighted. Change the content in the current policy, if needed.

 

  1. Click Close Diff Editor.

Version Control

Some policy types support version control. Each time a policy is changed, its version is incremented. The policy with the highest version is the one that is applied.

For policies that support version control, a Versions menu is available to allow the user to choose a specific version to edit.

Saving a policy will make it the most recent version, which makes it the active policy. Take this into consideration when saving older versions of the files.

Change Management

BeyondInsight for Unix & Linux allows users to enable Change Management in the console.

If Change Management is not enabled on the selected server, the option to enable change management is available in the console.

 

Once Change Management is enabled, it cannot be disabled.

To enable Change Management:

An image of Enable Change Management in the Privilege Management for Unix & Linux Policy Settings.

  1. Go to the Policy Management page.
  2. In the Hostname list, select a server entry.
  3. On the Server Details page, select Quick Actions > Configure Privilege Management for Unix & Linux Settings.
  4. Click the Enable Change Management button.