- You cannot delete a variable that is used by another variable or by a policy.
- Variables can have multiple values. You can add and remove variable values.
- Variables can be nested. For example, the following rule defines a variable named ac_data that contains the built-in <!AC_ROOT_PATH> variable:
editres ACVAR ac_data value("<!AC_ROOT_PATH>\data")
When a Windows endpoint with a default CA ControlMinder installation compiles this rule, it creates the following rule:
editres ACVAR ac_data value("C:\Program Files\CA\AccessControl\data")
- Each variable can only have one type, for example, you cannot define a variable that is both a static variable and a registry value variable.
- You cannot deploy a policy that contains an undefined variable. If you deploy a policy with an undefined variable, CA ControlMinder changes the deployment status of the policy to Deploy Pending. To deploy the policy, you must define the undefined variable and redeploy the policy.
Note: To discover which variable in the policy is undefined, review the DEPLOYMENT object for the policy. CA ControlMinder checks for undefined variables regardless of whether you have enabled or disabled policy verification.
- CA ControlMinder cannot resolve rules that combine CA ControlMinder variables and Windows system variables. For example, CA ControlMinder cannot resolve the following rule that defines a variable named var1:
editres ACVAR var1 value("%SYSTEMROOT%\temp")
To create a policy that defines %SYSTEMROOT% as a CA ControlMinder variable and that protects %SYSTEMROOT%\temp, use the following rules:
editres ACVAR var1 value("SYSTEMROOT") type(osvar)
editres ACVAR var2 value("<!var1>\temp")
- CA ControlMinder cannot resolve variables that are dependent on each other. For example, CA ControlMinder cannot resolve variables var1 and var2 in the following example:
editres ACVAR var1 value("<!var2>")
editres ACVAR var2 value("<!var1>")
- When you use a slash to define a directory in a variable, CA ControlMinder resolves the slash in the correct direction for Windows and UNIX endpoints.
- If you use selang rules to define a variable, you must use a policy to deploy the rules to an endpoint. If you use selang rules to directly update the CA ControlMinder database on the endpoint, CA ControlMinder cannot compile the rules. For example, if you have defined a variable named jboss_home on an endpoint, and you directly update the database with the following selang rule:
editres FILE <!jboss_home> audit(all)
CA ControlMinder cannot compile the rule, but instead creates a FILE object named <!jboss_home> in the database.