Endpoint Privilege Management for Unix and Linux Policy Language Guide

This guide provides detailed information regarding the security policy file programming language for the BeyondTrust Endpoint Privilege Management for Unix and Linux (EPM-UL) software. This language is used to create security policy files that are used by EPM-UL to:

  • Control the tasks a user or group of users may perform
  • Control the systems from which a task may be submitted
  • Control the systems from which a task may be run
  • Determine when a specific task may be run (day and time)
  • Determine where a task may be run from
  • Determine if secondary security checks, such as passwords or checksums, are required to run a task
  • Determine if one or more supplemental security programs are run before a task is started

This guide assumes that you have a basic understanding of Unix or Linux system administration and some experience with a scripting or other computer language. We recommend that you have experience in these areas before you attempt to create or modify security policy files.

Endpoint Privilege Management for Unix and Linux or EPM-UL, refers to the product formerly known as PowerBroker for Unix and Linux.

Specific font and line spacing conventions are used to ensure readability and to highlight important information, such as commands, syntax, and examples.

 

The BeyondInsight integration for Endpoint Privilege Management for Unix and Linux is no longer supported. Instead, EPM-UL uses BeyondInsight for Unix & Linux and ElasticSearch.

 

Both pbguid and pbsguid are deprecated as of EPM-UL version 22.3.0.

Sample Policy Files

When you install EPM-UL, you can choose to copy sample EPM-UL policy files to the installation host. These sample policy files include detailed explanations of what they do. You can use these files to learn how policy files are typically written for various scenarios. The directory that these sample files are copied to is determined by the GUI library directory option that you specify during installation. By default, this directory is /usr/local/lib/pbbuilder. A readme_samples text file in that directory includes a brief description of each sample file.