Endpoint Administration Guide for UNIX › Managing Policy Models › Automatic Rule-based Policy Updates › How the Policy Model Updates Subscribers › Policy Model Filter File

Policy Model Filter File

A filter file consists of lines, each with six fields. The fields contain information on:

• The form of access permitted or denied.

  For example, READ or MODIFY

• The environment affected:

  For example, AC or native

• The class of the record.

  For example, USER or TERMINAL

• The objects, within the class, that the rule covers.

  For example, User1, AuditGroup, or TTY1

• The properties that the record grants or cancels.

  For example, OWNER and FULL_NAME in the filter line means that any command having those properties is filtered. You must enter each property exactly as it appears in the Reference Guide.

• Whether such records should be forwarded to the subscriber database or not:

  PASS or NOPASS

The following rules apply to each line in the filter file:

• You can use an asterisk (*) to denote all possible values in any field.
• If more than one line covers the same records, the first applicable line is used.
• Spaces separate the fields.
• In fields with more than one value, semicolons separate the values.
• Lines beginning with # are considered a comment line.
• Empty lines are not allowed.

Example: Filter file

The following example describes a line from a filter file:

CREATE

AC

USER

*

FULL_NAME;OBJ_TYPE

NOPASS

In this example, if we name the file with this line TTY1_FILTER and edit the pmd.ini file for PMDB TTY1 so that filter=/opt/CA/AccessControl/TTY1_FILTER, then PMDB TTY1 will not propagate to its subscribers any records that create new users with the FULL_NAME and OBJ_TYPE property.