Access Control assigns permissions to users based on their role. It provides granular control and offers a simple, manageable approach to access management that is less prone to error than assigning permissions to users individually.
The user role and permissions concept simplifies user assignments because management of users is not done individually, but instead have privileges that conform to the permissions assigned to their role(s).
The following configuration options are provided to assist you with Access Control configuration and management:
Keeping Windows and Linux/Unix agents in perspective, rather than elevating the entire session for the user, we have option to elevate privileges for certain applications. This may be for a command prompt or database client <SQL client> which ever application which might required granular permissions to be granted.
For agentless sessions although they are elevated sessions using SSH and Telnet, we can restrict the user functions. These command lists are easy to configure because there are wizards to guide to users.
The following procedure helps you in adding commands which you want to allow or deny.
Create a command list.
Go to Access Control > Configuration > Application Command List.
Click New List > Create New List
Enter the Name, optionally add the Description.
Select the List Type. Either Windows or Linux.
Click Create.
Add commands which you want to allow or deny.
Set the Risk Score to any of the following levels:
Undefined
Low
Medium
High
Go to Credential Vault. Select either Linux/Unix Network Device or Windows. as applicable.
Select the resource for creating the vault for which you want to add allow/deny commands.
Create a Resource Pool.Access Control > Resource Pools. For more information, see Section 6.1.2, Configuring Resource Pools.
Create a User Role based on the user selection from Local User, Agent User, LDAP User. For more information see, Section 6.1.3, Configuring User Roles.
Create an Assignment by delegating necessary permissions.
In the Command List page, add the command list you created in the configuration tab and specify if you want to allow or deny those set of commands.
Click Finish > Save.
If you log into the target machine and execute the commands, you will notice that the commands you set to deny will throw a “permission denied” error.
You can view the risk details in Reports > All Sessions Details > Keystrokes.
Enhanced Access Control (EAC) policy can be defined at Permission level and also at an individual at the Access Control EAC object level and these can be associated to the Permission.
The EAC capability defines granular risks scores. Earlier capability included defining risk for every path (file or folder). But with the present functionality one can define the same for every operation on a given path for read, write, delete, execute, separate risk can be defined. The order of EAC policy execution is sequential. In the event of conflict, the first one takes the priority.
The Enhanced Access Control functionality includes the following four categories:
File and Directory Level Access
Application Process Control
Registry Access
Services Start/Stop Control
The earlier functionality with Command Control was limited to Linux/Unix but the present one includes support for Windows.
This ability has control over files and directories permissions to users based on sessions. An administrator can specify a list of paths and each one has access control such as; Read, Write, Delete capabilities.
Click Access Control > Configuration > Enhanced Access Control > New Policy.
Specify the Name
(Optional) Specify the Description
Select the List Type as Windows.
Click Create.
Click Add Path: Create a path in the target machine. Modify this path rule to create appropriate permissions for file and associate this with the necessary risk score if you want.
Click Save.
Create Resource Pool. For more information see, Section 6.1.2, Configuring Resource Pools.
Create User Role. For more information, see Section 6.1.3, Configuring User Roles.
Associate the Resource Pool and User Role with an assignment by clicking permissions for the Enhanced Access Control.
Click Add > Add EAC Policy. The Windows policy is displayed.
Select the Policy and click Add.
Click Finish. The permission is created.
Log into a Windows machine and navigate to the created folder. You can verify that the permissions you had created are successfully configured.
You can view the risk details in Reports > All Sessions Details > Keystrokes.
For more information on Enhanced Access Control on Linux and Unix machine, see Enhanced Access Control.
Click Access Control > Configuration > Enhanced Access Control > New Policy.
Specify the Name
(Optional) Specify the Description
Select the List Type as Linux.
Click Create.
Click Add Path: Create a path in the target machine. Modify this path rule to create appropriate permissions for file and associate this with the necessary risk score if you want.
Click Save.
Create Resource Pool. For more information see, Section 6.1.2, Configuring Resource Pools.
Create User Role. For more information, see Section 6.1.3, Configuring User Roles.
Associate the Resource Pool and User Role with an assignment by clicking permissions for the Enhanced Access Control.
Click Add > Add EAC Policy. The Windows policy is displayed.
Select the Policy and click Add.
Click Finish. The permission is created.
Log into a Windows machine and navigate to the created folder. You can verify that the permissions you had created are successfully configured.
You can view the risk details in Reports > All Sessions Details > Keystrokes.
You can use Perl scripts to provide additional, customized functionality using relevant permissions. You can organize these scripts into a single level folder structure.
On the home page of the console, click Access Control.
In the navigation pane, click Configurations > Scripts.
In the details pane, click +Script. A Create New Script page with Name, Description, and Script is displayed.
Name: Specify the name for the script.
Description: Add a description for the script.
Script: Write the script. Click Create.
You can add this script to a folder.
NOTE:You have the option to create a folder and associate objects to the created folder.
On the home page of the console, click Access Control.
In the navigation pane, click Configurations > Scripts.
In the left side of the details pane, click on a specific script.
Click the folder icon.
Create New Folder dialog is displayed.
Enter a folder Name. Click Create.
You can move the existing scripts to this folder by selecting the script and clicking Move.
NOTE:You cannot delete a folder if the folder is associated with a Command list, EAC, or Scripts.
Click on the edit icon against a specific folder to edit the folder name and then click Save.
NOTE:You cannot modify the folder type, but you can enable or disable the script.