Role Based Policy Options
These options are not available on EPM-L clients.
The Role Based Policy is held in multiple tables. Each table refers to an individual entity with attributes, and is referenced by unique entity ids. Each entity is then linked together into a role. When retrieving, updating, or deleting entities, either the name or id can be used. The command line utility pbdbutil with the option --rbp can be used to retrieve (-g), update (-u), or delete (-d) entities.
When updating, complete entities including all its attributes need to be defined. The REST API uses the same JSON format and parameters, and use GET, PUT and DELETE respectively. There are also a number pseudo-attributes that allow the retrieval of lists based upon the parent grouping, these are:
- usergrpname: list User Lists which correspond to the specified User Group
- hostgrpname: list Host Lists which correspond to the specified Host Group
- cmdgrpname: list Command Lists which correspond to the specified Command Group
- tmdategrpname: list Time/Date Lists which correspond to the specified Time/Date Group
- rolename: list all lists which correspond to the specified Role Group
Usage
pbdbutil --rbp [<options>] [ <file> <file> ...]
-b -m <msg> | Begin Role Based Policy change transaction |
-c | Commit Role Based Policy change transaction |
-r | Rollback Role Based Policy change transaction |
--force -m <msg> | Force Rollback of other users change transaction |
-i <file> | Import Role Based Policy file in the database |
-e -o <outfile> | Export Role Based Policy from database and output to file |
-V <ver> | Used with export, but export specified version |
-g { json param } | Get Role Based Policy database records |
-u { json param } | Update Role Based Policy database records |
-m <msg> | Specify message - required when change management enabled. |
-d { json param } | Delete Role Based Policy database records |
--force | Force deletion of dependent records in the database |
-m <msg> | Specify message - required when change management enabled. |
-n | Create new Role Based Policy database |
-R { json param } | Report user entitlements from the database |
-R | Add option to display commands |
-R | Add option to display time/date restrictions |
-R | Add option to display additional role options |
-E { json param } |
List user entitlements data from the database where { json param } is one or more of: "submituser" : "user1" Specify submit user or wildcard "submithost" : "host1" Specify submit host or wildcard "runuser" : "user1" Specify run user or wildcard "runhost" : "host1" Specify run host or wildcard "command" : "command" Specify command or wildcard |
-L | List all Role Based Policy policies in the database |
-t <tag> | Limit list by tag wildcard |
-l | List all Role Based Policy versions in the database |
pbdbutil --rbp -b -m "<message>"
pbdbutil --rbp -i <file>
pbdbutil --rbp -c
pbdbutil --rbp -g '{ "usergrp" : { "name" : "ug*" }}' [{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]
pbdbutil -g '{ "usergrp" : { "id" : "1" }}' [{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]
Record Entities
- usergrp
- userlist
- hostgrp
- hostlist
- cmdgrp
- cmdlist
- tmdategrp
- tmdatelist
- role
- roleusers
- roleghost
- rolecmds
- roletmdates
Entities can be listed by attributes name and id, and entity specific attribute names rolename, usergrpname, hostgrpname, cmdgrpname, tmdategrpname.
-g '{ "role" : { "name" : "*" }} ' Display all Roles -g '{ "usergrp" : { "name" : "n*" }}' Display all User Groups which match "n*" -g '{ "userlist" : { "name" : "usergrp1" }} ' Display group membership for usergrp by name -g '{ "roleusers" : { "rolename" : "role1" }}' Display list of usergrps assigned to role -g '{ "rolehosts" : { "id" : 1 }} ' Display list of hostgrps assigned to role id 1
Descriptions
-b |
This option is mandatory if the Role Based Policy transactions are enabled. Role Based Policy transactions are enabled when rbptransactions is set to yes. Before any changes can be made the administrator must begin the transaction with a suitable Change Management message. This transaction is then kept open until the same user commits or rolls back the transaction. The transaction is not visible by the live authorization process until it is committed. Available if the Role Based Policy Transactions are enabled. |
-c | Commit the current open transaction making it live. |
-r [ --force ] |
Rollback the current open transaction, discarding any changes that have been made. Available if the Role Based Policy Transactions are enabled. |
-i <file> | Import Role Based Policy file in the database. |
-e -o <outfile> [-V <ver>] | Export Role Based Policy from database and output to file. |
-g { json param } | Retrieve and display attributes of the entities within the Role Based Policy database. |
-u { json param } | Update entities and attributes within the Role Based Policy database. |
-d { json param } |
Delete entities within the Role Based Policy database. |
-n | Create a new Role Based Policy database, as specified by the policydb keyword in the EPM-UL/etc/pb.settings configuration file. |
-R { json param } | Report user entitlements from the database. |
-R | Add option to display commands. |
-R | Add option to display time/date restrictions. |
-R | Add option to display additional role options. |
-E { json param } |
List user entitlements data from the database where { json param } is one or more of: "submituser" : "user1" Specify submit user or wildcard "submithost" : "host1" Specify submit host or wildcard "runuser" : "user1" Specify run user or wildcard "runhost" : "host1" Specify run host or wildcard "command" : "command" Specify command or wildcard |
-L | List all Role Based Policy policies in the database |
-l | List all Role Based Policy versions in the database |
User Group Examples
-g '{ "usergrp" : { "name" : "ug*" }}' [{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","extinf o":null}]
-g '{ "userlist" : { "usergrpname" : "ug1" }}' [{"id":1,"user":"root"},{"id":1,"user":"adm*"}]
-u '{ "usergrp" : { "id":1,"name":"ug1","description":"new description","disabled":0,"single":0,"type":"I","extinfo":null}}'
-u '{ "userlist" : { "usergrpname":"ug1","user":"wheel"}}'
-d '{ "userlist" : { "usergrpname":"ug1"}}'
-d '{ "userlist" : { "usergrpname":"ug1", "user" : "user1"}}'
Host Group Examples
-g '{ "hostgrp" : { "name" : "hg*" }}' [{"id":1,"hg1":"name","description":"desc","disabled":0,"type":"I","extinf o":null}]
-g '{ "hostlist" : { "hostgrpname" : "hg1" }}' [{"id":1,"host":"host2"},{"id":1,"host":"*.dev.com"}]
-u '{ "hostgrp" : { "id":1,"name":"hg1","description":"new description","disabled":0,"type":"I","extinfo":null}}'
-u '{ "hostlist" : { "hostgrpname":"hg1","host":"host5"}}'
-d '{ "hostlist" : { "hostgrpname":"hg1"}}'
-d '{ "hostlist" : { "hostgrpname":"hg1", "host" : "host1"}}'
Command Examples
-g '{ "cmdgrp" : { "name" : "cg*" }}' [{"id":1,"cg1":"name","description":"desc","disabled":0} ]
-g '{ "cmdlist" : { "cmdgrpname" : "cg1" }}' [{"id":1,"cmd":"rm *","rewrite":"echo $*"},{"id":1,"cmd":"/usr/bin/rm *","rewrite":"echo $*"}]
-u '{ "cmdgrp" : { "id":1,"name":"cg1","description":"new description","disabled":0}}'
-u '{ "cmdlist" : { "cmdgrpname":"cg1","cmd":"/bin/rm *","rewrite":"echo $*"}}'
-d '{ "cmdlist" : { "cmdgrpname":"cg1"}}'
-d '{ "cmdlist" : { "cmdgrpname":"cg1", "cmd" : "rm *"}}'
Time/Date Examples
-g '{ "tmdategrp" : { "name" : "td*" }}' [{"id":1,"td1":"name","description":"desc","disabled":0} ]
-g '{ "tmdatelist" : { "tmdategrpname" : "td1" }}' [{"id":1,"tmdate" : "{ \"mon\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0], \"tue\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0], \"wed\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0], \"thu\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0], \"fri\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0], \"sat\" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0], \"sun\" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] }"}]
-u '{ "tmdategrp" : { "id":1,"name":"td1","description":"new description","disabled":0}}'
-u '{ "tmdatelist" : { "tmdategrpname":"td1","tmdate":"{ \"range\" : { \"from\" : 1415851283, \"to\": 1415887283 }}"}}'
-d '{ "tmdatelist" : { "tmdategrpname":"td1"}}'
-d '{ "tmdatelist" : { "tmdategrpname":"td1", "tmdate" : "{ \"range\" : { \"from\" : 1415851283, \"to\": 1415887283 }}"}}'
Role Examples
-g '{ "role" : { "name" : "Role*" }}' [{"id" : 0, "name" : "Role5", "rorder" : 3, "description" : "Desc3", "disabled" : 0, "risk" : 1, "action" : "A", "iolog" : "/tmp/iolog_XXXXXX", "script" : "accept;"}, {"id" : 1, "name" : "Role6", "rorder" : 2, "description" : "Desc3", "disabled" : 0, "risk" : 1, "action" : "A", "iolog" : "/tmp/iolog_XXXXXX", "script" : null}, {"id" : 2, "name" : "Role7", "rorder" : 1, "description" : "Desc3", "disabled" : 0, "risk" : 1, "action" : "A", "iolog" : "/tmp/iolog_XXXXXX", "script" : null}]
-g '{ "roleusers" : { "name" : "Role6" }}' [{"id":1,"users":1,"type":"R"},{"id":1,"users":1,"type":"S"}]
-u '{ "role" : {"id":0,"name":"Role5","rorder":3,"description":"Description 4","disabled":0,"risk":1,"action":"A","iolog":"/tmp /iolog_XXXXXX","script":"accept;"}, {"id":1,"name":"Role6","rorder":2,"description":"Desc3","disabled":0,"risk":1,"action":"A","iolog":"/tm p/iolog_XXXXXX","script":null}, {"id":2,"name":"Role7","rorder":1,"description":"Desc3","disabled":0,"risk":1,"action":"A","iolog":"/tmp/io log_XXXXXX","script":null}'
-u { "rolehosts" : { "name" : "Role5", "hostgrpname" : "hostgrp2" , "type" : "S"}}'
-d '{ "roleusers" : { "name":"Role5"}}'
-d '{ "roleusers" : { "name" : "Role5", "usergrpname":"ug1"}}'
-d '{ "roleusers" : { "name":"Role5"}}'
-d '{ "roleusers" : { "name" : "Role5", "usergrpname":"ug1"}}'
For more information on the -bsetting in the Endpoint Privilege Management/etc/pb.settings configuration file, see Role Based Policy.