Manage Role Based Policy Roles
A list of available roles shows the existing entities. This list is searchable and can be filtered by Enabled, Disabled, or all options. Selecting the Add Role option creates a role. To edit an existing role, select an entry from the Roles list and click Edit. To delete an existing role, select an entry from the Roles list and click Delete.
The order in which role-based policies are applied can be set by ordering the roles in the list of available roles. Click and drag a role entry up or down in the Roles list to establish the priority order. Changes to role order is saved automatically.
The following options are available:
- Role name: This should be unique on the policy server.
- Tag: Add a tag to the role. Once added, tags function as a filter and can be used to sort through policy roles.
- Description: A brief description to identify the role.
- Comment: The admin can add a comment here. These are only visible to the admin.
- Role Risk Level: The perceived risk level of the policy.
- Request Type: Allows the administrator to specify which request types this policy will apply to. For example, a policy might apply to commands issued only by pbrun invocations. Use the dropdown to select the appropriate request type, or select Any. The default value is to allow any request type.
- Policy Enabled: Whether or not the role is active (default Enabled).
- Action: Whether this should trigger an accept or reject action (default Accept).
- Entitlement Reporting: Whether or not Entitlement Reporting is enabled (default Disabled).
Assign allowed users, hosts, commands, and schedule to a role. Each role can have zero to many relationships with each entity type. This is managed using the lists matching the appropriate entity. The following configuration sections are available:
- Who: Defines which users the policy applies to. This item is divided into two user types:
- Submit Users
- Run Users
These lists contain the user entities.
Select Use Default Group and Working Directory to automatically populate the run users in a script block on the Script Policy page. Changing the block properties is not recommended.
- What: Defines which commands the policy applies to. This list contains the command entities.
- Where: Defines which hosts the policy applies to. This item is divided into two user types:
- Submit Hosts
- Run Hosts
These lists contain the host entities.
- When: Defines which schedule the policy applies to. This list contains the schedule entities.
- None: Reauthentication is not required.
- Shared Secret: Create a shared secret value. The user must provide it to reauthenticate.
- PAM: A number of PAM modules can be selected, or a custom one can be provided. Additionally, most options allow the user to configure where the authentication will occur. To enable reauthentication, choose the Type from the dropdown menu; this opens an appropriate editor for the selected type.
To configure this option:
- Use the Type dropdown to select the desired type of reauthentication. Depending on the selected type, fill in the requested information.
- Type in a message to prompt the user on how to proceed.
- Enter the number of retries before reauthentication locks up.
- Enter the message the user sees if reauthentication fails.
- Enter the message that is recorded in the log when reauthentication fails.
- In the Change requested by [loggedInUserName] field, enter a reason for the assignment or change.
- Click Save.
Enables the administrator to output a message to the user when this policy is processed. This field can interpolate variables to provide a custom, context specific message using the PMUL template syntax of %<variable>%. A few options are available using buttons to quickly insert the most popular options. Values can also be entered freely.
Generate a file location for session replay logs and configure Path Options.The Session Replay Location field allows for the use of variables in the file name. BIUL provides a template builder to assist with creating the path; select the build option, provide a path to save the file, and select the desired variable options. Values can also be entered freely.
A configuration area to include a custom script. Script policy can be entered into the code editor to set the script content.