Previous Topic: policydeploy Utility—Manage Enterprise Policy DeploymentNext Topic: policydeploy -delete Function—Delete a Policy


policydeploy -assign Function—Assign or Unassign a Policy

This function assigns or unassigns the specified policy to one or more hosts or host groups.

This function has the following format:

policydeploy -assign[-] name -hnode|-ghnode list [-dms list]
-assign name

Assigns the specified policy to one or more hosts or host groups.

-assign- name

Unassigns the specified policy from one or more hosts or host groups.

-dms list

(Optional) Specifies a comma-separated list of DMS nodes to use. When you deploy or undeploy a policy, these are the DMS nodes to which the action is reported. When you store a policy, these are the DMS nodes where the policy is stored.

If you do not specify DMS nodes with this option, the utility uses the list of DMS nodes specified in the local CA ControlMinder database. To specify a list of DMS nodes in the database, you need to issue the following selang command after you create a new DMS using dmsmgr:

so dms+(new_dms_name)

Note: You need to issue the same command if you did not specify the DMS node during installation, or if you want to replace or add the registered DMS on the endpoint. However, when you specify to create an advanced policy management server during installation, the DMS is added to the database and you do not need to manually run the above command.

-ghnode list

Defines a comma-separated list of host groups (GHNODE objects) that you want to assign the policy to.

-hnode list

Defines a comma-separated list of hosts (HNODE objects) that you want to assign the policy to.

Example: Assign an IIS 5 Protection Policy

The following example shows you how to assign a policy for securing Internet Information Services (IIS) 5 web servers. We will review the policy and the latest (fourth) version of policy IIS5 and then assign the policy to a host group called IIS5Servers. Policy IIS5 is stored on the crDMS@cr_host.company.com DMS node.

  1. Connect to the DMS using selang:
    hosts crDMS@cr_host.company.com
    

    You can now query our DMS via selang.

  2. If you're not sure what is the latest finalized version of the policy, issue the following selang command to find all versions of the policy:
    sr GPOLICY IIS5
    

    The selang window lists the properties of the IIS5 policy, including the Final Policy, which is the latest version of the policy that you can assign (finalized).

  3. Issue the following selang command to view the policy deployment and undeployment scripts:
    sr RULESET IIS5#04
    

    The selang window displays the IIS5#04 RULESET object, including the deployment and undeployment rules that relate to the fourth version of the IIS5 policy.

  4. In a command prompt window, run the policydeploy utility:
    policydeploy -assign IIS5 -ghnode IIS5Servers
    

    This assigns the IIS5 policy to all hosts in the IIS5Servers logical host group, and in turn deploys the fourth version of the IIS5 policy on these hosts.

Example: Unassign an IIS 5 Protection Policy

The following example shows you how to unassign an assigned IIS 5 policy from the web servers that we assigned it to in the previous example.

In a command prompt window, run the policydeploy utility:

policydeploy -assign- IIS5 -ghnode IIS5Servers

This unassigns the IIS5 policy from all hosts in the IIS5Servers logical host group, and in turn undeploys the version of the IIS5 policy that is deployed on these hosts.