Role Based Policy, Change Management Events

There are two different approaches to maintaining the Role Based Policy database. The first, simple method is to access the tables using pbdbutil at the command line. Each change is individual, and instantaneous, and is immediately live. Although for smaller organizations this is adequate, larger organizations have a more controlled procedural access method.

Role Based Policy database change transactions can be enabled using the pb.setting rbptransactions. Once enabled, before changes can be made, the administrator must begin a change transaction, specifying a reason why the change is being made. This is logged and the whole Role Based Policy database is then locked for update - only that administrator can continue to make changes. These changes will NOT be mirrored in the live authorization process and can continue to be made by that administrator alone, and when completed can be committed or rolled back. Once the changes are committed they are all applied to the database as one update, and a change management event is generated. If the changes are rolled back, they are discarded and nothing changes.

If, for whatever reason, a change transaction is begun, and the administrator leaves it open and fails to close the transaction, any other administrator with access can force the rollback of the changes. Once again, this requires a reason specifying, and logs a change management event. The change transactions are necessary once the GUI policy updates are implemented to force database integrity. See the section below for Change Transaction Command Line options.

To enable the logging of change management events each client needs the pb.setting changemanagementeventsm yes and log servers will need to defined the eventdb <path> and need the REST pbrest service running.

The following settings are used and need to be set when Role Based Policy and Change management is implemented and used:

policydb <path>

  • The path to the Role Based Policy Database.
  • There is no default for this setting.

pbresturi <string>

  • The partial REST url string between the hostname and /REST.
  • There is no default for this setting.

pbrestport <port#>

  • The REST port.
  • Default value is the base port + 6.

rolebasedpolicy <yes/no>

  • Enabled/Disable Role Based Policy checking.
  • The default is no.

eventdb <path>

  • The path to the Change Management Event Database.
  • There is no default for this setting.

rbptransactions <yes/no>

  • Enable the use of Role Based Policy Transactions to ensure integrity.
  • The default is no.

changemanagementevents <yes/no>

  • Enable/Disable the logging of Change Management Events when maintaining databases.
  • The default is no.

pbresttimeskew <num>

  • The maximum time in seconds that hosts are mis-matched by (it is recommended that the customer uses a time synchronization service).
  • The default is 60 seconds.