Manage Role Based Policy Roles

A list of available roles shows the existing entities. This list is searchable and can be filtered by Enabled, Disabled, or all options. Selecting the Add Role option creates a role. To edit an existing role, select an entry from the Roles list and click Edit. To delete an existing role, select an entry from the Roles list and click Delete.

Roles page in BeyondInsight for Unix & Linux

Role Ordering

The order in which role-based policies are applied can be set by ordering the roles in the list of available roles. Click and drag a role entry up or down in the Roles list to establish the priority order. Changes to role order is saved automatically.

General

The following options are available:

An image of the Role Based Policy General Details section in BeyondInsight for Unix & Linux.

  • Role name: This should be unique on the policy server.
  • Tag: Add a tag to the role. Once added, tags function as a filter and can be used to sort through policy roles.
  • Description: A brief description to identify the role.
  • Comment: The admin can add a comment here. These are only visible to the admin.
  • Role Risk Level: The perceived risk level of the policy.
  • Request Type: Allows the administrator to specify which request types this policy will apply to. For example, a policy might apply to commands issued only by pbrun invocations. Use the dropdown to select the appropriate request type, or select Any. The default value is to allow any request type.
  • Policy Enabled: Whether or not the role is active (default Enabled).
  • Action: Whether this should trigger an accept or reject action (default Accept).
  • Entitlement Reporting: Whether or not Entitlement Reporting is enabled (default Disabled).

Assignments

Assign allowed users, hosts, commands, and schedule to a role. Each role can have zero to many relationships with each entity type. This is managed using the lists matching the appropriate entity. The following configuration sections are available:

An image of the Role Based Policy Assignments section in BeyondInsight for Unix & Linux.

  • Who: Defines which users the policy applies to. This item is divided into two user types:
    • Submit Users
    • Run Users

    These lists contain the user entities.

    Select Use Default Group and Working Directory to automatically populate the run users in a script block on the Script Policy page. Changing the block properties is not recommended.

  • What: Defines which commands the policy applies to. This list contains the command entities.
  • Where: Defines which hosts the policy applies to. This item is divided into two user types:
    • Submit Hosts
    • Run Hosts

    These lists contain the host entities.

  • When: Defines which schedule the policy applies to. This list contains the schedule entities.

 

Reauthentication

  • If configured, this feature requires users to reauthenticate themselves when this policy is invoked. Only one reauthentication method can be configured per policy. Most reauthentication options allow for customization of messages and prompts to be displayed to the user as well as logs. Reauthentication can be enabled in a number of configurations:
    • None: Reauthentication is not required.
    • Shared Secret: Create a shared secret value. The user must provide it to reauthenticate.
    • PAM: A number of PAM modules can be selected, or a custom one can be provided. Additionally, most options allow the user to configure where the authentication will occur. To enable reauthentication, choose the Type from the dropdown menu; this opens an appropriate editor for the selected type.
  • To configure this option:

    An image of the Role Based Policy Reauthentication section in BeyondInsight for Unix & Linux.

    1. Use the Type dropdown to select the desired type of reauthentication. Depending on the selected type, fill in the requested information.
    2. Type in a message to prompt the user on how to proceed.
    3. Enter the number of retries before reauthentication locks up.
    4. Enter the message the user sees if reauthentication fails.
    5. Enter the message that is recorded in the log when reauthentication fails.
    6. In the Change requested by [loggedInUserName] field, enter a reason for the assignment or change.
    7. Click Save.

     

    Messages

    An image of the Role Based Policy Messages section in BeyondInsight for Unix & Linux.

    Enables the administrator to output a message to the user when this policy is processed. This field can interpolate variables to provide a custom, context specific message using the PMUL template syntax of %<variable>%. A few options are available using buttons to quickly insert the most popular options. Values can also be entered freely.

     

    Session Replay

    An image of the Role Based Policy Session Replay section in BeyondInsight for Unix & Linux.

    Generate a file location for session replay logs and configure Path Options.The Session Replay Location field allows for the use of variables in the file name. BIUL provides a template builder to assist with creating the path; select the build option, provide a path to save the file, and select the desired variable options. Values can also be entered freely.

     

    Script Policy

    An image of the Role Based Policy Script Policy section in BeyondInsight for Unix & Linux.

    A configuration area to include a custom script. Script policy can be entered into the code editor to set the script content.