Filter Mechanism

Reference Guide › Utilities › Services and Daemons in Detail › sepmdd Daemon (UNIX) › Filter Mechanism

Filter Mechanism

You may want your PMDB to selectively update the subscriber stations below it. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.

A filter file consists of lines with six fields per line. The fields contain the following information:

The form of access permitted or prohibited. The possible values are AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.
The environment affected. The possible values are AC, CONFIG, UNIX, NT, or NATIVE
The class of the record. The possible values include all classes in CA ControlMinder, including user‑defined classes.
The objects within the class that the rule covers. For example, User1, AuditGroup, or TTY1
The properties that the record grants or cancels. For example, OWNER and FULL_NAME in the filter line for user records means that any command having those user properties are filtered. You must enter each property exactly.
Whether such records should be forwarded to the subscriber station or not.
The possible values are PASS or NOPASS

You can use an asterisk in any field to mean “all possible values.” If more than one line covers the same records, the first applicable line is used.

In each line of the filter file, spaces separate the fields. In fields with more than one value, semicolons separate the values. Any line beginning with “#” is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:

CREATE	AC	USER	*	FULL‑NAME;OBJ_TYPE	NOPASS
form of access	environment	class	record name ( =all)*	properties	treatment

For example, suppose the file with this line is named TTY1_FILTER, and the pmd.ini file of the Policy Model TTY1 contains the line filter=/opt/CA/AccessControl/TTY1_FILTER. The Policy Model TTY1 does not send records that create new CA ControlMinder users with the FULL_NAME and OBJ_TYPE (Admin, auditor, and so on). The asterisk means “regardless of name.”

The following are the selang commands that are relevant for each access value:

Access	selang Command
AUTHORIZE_DELETE	authorize‑
AUTHORIZE_MODIFY	authorize
CREATE	newres, newusr, newgrp, newfile
DELETE	rmres, rmusr, rmgrp, rmfile, join‑ (UNIX)
DEPLOY	deploy
EDIT	editres, editusr, editgrp, editfile
FILESCAN	search
GET	get devcalc
JOIN_DELETE	join-
JOIN_MODIFY	join
MODIFY	chres, chusr, chgrp, chfile, join (UNIX)
READ	list
START	start devcalc
UNDEPLOY	deploy- (undeploy)

CA ControlMinder does not validate rules; therefore, if you enter an invalid value in a rule, the rule never matches an update transaction.