Creating and deploying a policy that defines a variable lets you define the same variable on many endpoints.
To create a policy that defines a variable
editres ACVAR ("variable_name") value("variable_value")
Note: You must define each variable in the policy before you refer to it in a subsequent rule in the policy. Use the following format to refer to the variable: "<!variable>"
Example: Create a Policy That Defines a Variable
In this example, the following policy defines a variable named jboss_home that has a value of /opt/jboss, and creates a rule that authorizes user Mark to access any resource in the /opt directory that accesses through JBoss.
editres ACVAR ("jboss_home") value("/opt/jboss") authorize FILE /opt/* uid(Mark) access(all) via(pgm("<!jboss_home>/jboss"))
When the endpoint compiles the policy, it creates the following rule:
authorize FILE /opt/* uid(Mark) access(all) via(pgm(/opt/jboss/jboss))
Example: Create a Policy That Defines Multiple Variable Values
The following policy defines a variable named jboss_home that has a value of C:\JBoss, adds the C:\Program Files\JBoss value to the jboss_home variable, and creates an access rule:
editres ACVAR ("jboss_home") value("C:\JBoss") editres ACVAR ("jboss_home") value+("C:\Program Files\JBoss") editres FILE ("<!jboss_home>\bin") defacc(none) audit(a)
When the endpoint compiles the policy, it creates the following rules:
editres FILE ("C:\JBoss\bin") defacc(none) audit(a) editres FILE ("C:\Program Files\JBoss\bin") defacc(none) audit(a)
Example: Use Variables to Deploy the Same Policy to Windows and UNIX Endpoints
The following example explains how you can use variables to deploy the same JBoss policy to Windows and UNIX endpoints, despite the different JBoss installation location on each operating system. This example defines two jboss_home variables that define the JBoss installation location for each operating system:
editres ACVAR ("jboss_home") value("C:\JBoss")
editres ACVAR ("jboss_home") value("/opt/jboss")
editres FILE "<!jboss_home>" defacc(none) audit(all)
editres FILE "C:\JBoss" defacc(none) audit(all)
editres FILE "/opt/jboss" defacc(none) audit(all)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|