This section tries to anticipate likely questions and to provide a concise answer.
I am using the special all-realms membership (*), but time ranges are not being honored; why?
The * match marks the computer object as a member of all realms and also implies that it is a "super-user". An object with super-user access can perform all operations so the authorization subsystem always allows the specified operation regardless of time restrictions or access restrictions, a super-user realm can do anything - connect anywhere, lookup anything, and so on. Note that use of the super-user type is audited with a warning in the system application log.
Is there a way I can check rules before I apply them?
Yes, use the ENC utility command encUtilCmd and the 'verify' command. This allows you to simulate all of the events listed previously. Please refer to the encUtilCmd reference guide for detailed instructions on how to use the application.
I have to create a lot of rules! Is there a simpler way?
Again, yes, use the ENC utility command encUtilCmd. The 'create' command allows you to create a rule set for multiple realms and will define a basic set of rules that reflects the approach in this document section. You can also create a test script at the same time, which will verify all of the created rules using simulated identities. You can then modify the generated rules to use the real security identities, and tailor other areas to your specific requirements.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|