Endpoint Administration Guide for Windows › Managing Policy Models › Architecture Dependency

Architecture Dependency

When deploying CA ControlMinder, you should consider the hierarchy of your environment. At many sites, the network includes a variety of architectures. Some policy rules, such as the list of trusted programs, are architecture-dependent. On the other hand, most rules are independent of the system's architecture.

You can cover both kinds of rules by using a hierarchy. You can define a global database for architecture-independent rules, and give it subscriber PMDBs that define architecture-dependent rules.

Note: The root PMDB and all of its subscribers can reside on the same computer or on separate computers, depending on the physical needs of your environment.

Example: A Two-tiered Deployment Hierarchy

The following UNIX example also applies to a Windows architecture with small modifications.

In the example, the site consists of IBM AIX and Sun Solaris systems. Since the list of trusted programs on IBM AIX differs from the one on Sun Solaris, the PMDBs need to consider architecture dependency.

To set up a multiple-architecture PMDB, set up your PMDBs as follows:

1. Define a PMDB named whole_world, to contain the users, groups, and all other architecture independent policies.
2. Define a PMDB named pm_aix, to contain all the IBM AIX specific rules.
3. Define the PMDB pm_sol, to contain all the Sun Solaris specific rules.

   The PMDBs pm_aix and pm_solaris are subscribers of the PMDB whole_world. All IBM AIX computers at the site are subscribers of pm_aix. All Sun Solaris computers at the site are subscribers of pm_sol. The concept is illustrated in the following chart.

   

4. When you enter platform-independent commands in whole_world, such as adding a user or setting a SURROGATE rule, all databases at the site are automatically updated.
5. When you add a trusted program to pm_aix, only IBM AIX computers are updated, without affecting the Sun Solaris systems.