Previous Topic: Filter MechanismNext Topic: seagent Daemon


CA ControlMinder Policy Model Service (sepmdd)

Valid on Windows

CA ControlMinder Policy Model Service (sepmdd) is the PMDB service. It performs the following functions:

SeOSAgent starts the sepmdd service. There is no need to run sepmdd explicitly. The two possible states for each Policy Model are Started and Stopped.

The PMDBs are stored in a common directory. The registry value _pmd_directory_ in the subkey HKLM\Software\ComputerAssociates\AccessControl\Pmd specifies the name of the common directory. Each Policy Model resides in a subdirectory of the common directory. The name of the Policy Model is the name of the subdirectory in which it resides.

When sepmdd starts, it checks whether any subscriber databases need to be updated and, if necessary, updates them. After this startup process, the sepmdd service waits for user requests. User requests are sent by the Policy Model management utility sepmd and by selang using the CA ControlMinder Agent.

When a request is received, sepmdd applies it to the PMDB and sends the result back to the user. If the request should be propagated, sepmdd propagates the update to its subscriber databases.

The sepmdd service tries to update a subscriber database for 30 seconds. If this elapses and the service does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list. After it completes its first scan of the subscriber list, sepmdd then performs a second scan, in which it tries to update the subscribers that it did not succeed in updating during its first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).

If a subscriber is unavailable during the second scan, sepmdd attempts to send it updates every 30 minutes.

Since the updates must be sent in the order in which they are received, sepmdd does not send subsequent updates to the subscriber database until it becomes available.

Each time sepmdd fails to update a subscriber database, a warning message is written in the Policy Model error log.

Filter Mechanism

You may want your PMDB to update the subscriber stations below it selectively. To define which records to be sent to the subscriber stations, set the registry key string value to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.

Here is an example:

HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd\PolicyModelName\Filter

A filter file consists of lines with six fields per line. The fields contain this information:

The form of access permitted or prohibited

Valid values are: AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.

The environment affected

Valid values are: AC, CONFIG, UNIX, NT, or NATIVE.

The class of the record

Valid values include all classes in CA ControlMinder, including user‑defined classes.

The objects within the class that the rule covers

For example: User1, AuditGroup, or COM2.

The properties that the record grants or cancels

For example, including GROUPS and FULLNAME in the filter line for user records means that any command having those user properties is filtered. You must enter each property exactly as it appears.

Whether such records should be forwarded to the subscriber station

Valid values are: PASS, NOPASS

Note: You can use an asterisk to mean “all possible values” in any field. If more than one line covers the same records, the first applicable line is used.

In each line of the filter file, spaces separate the fields. In fields with more than one value, separate the values with semicolons. Any line beginning with “#” is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:

CREATE

AC

USER

*

FULLNAME;OBJ_TYPE

NOPASS

form of
access

environment

class

record name
( * =all)

properties

treatment

If, for example, the file with this line is named Printer1_Filter.flt and the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd\PM‑\Filter contains the line “C:\Program Files\CA\Access Control\data\Printer1_Filter.flt,” then Policy Model PM‑1 will not send records that create new CA ControlMinder users with the FULLNAME and OBJ_TYPE (admin, auditor, and so on). The asterisk means “regardless of name.”

The selang commands that are relevant for each access value are:

Access

selang Command

AUTHORIZE_DELETE

authorize‑

AUTHORIZE_MODIFY

authorize

CREATE

newres, newusr, newgrp, newfile

DELETE

rmres, rmusr, rmgrp, rmfile, join‑ (UNIX)

DEPLOY

deploy

EDIT

editres, editusr, editgrp, editfile

FILESCAN

search

GET

get devcalc

JOIN_DELETE

join-

JOIN_MODIFY

join

MODIFY

chres, chusr, chgrp, chfile, join (UNIX)

READ

list

START

start devcalc

UNDEPLOY

deploy- (undeploy)

Note: CA ControlMinder does not validate rules; therefore, if you enter an invalid value in a rule, the rule will never match an update transaction.

Registry Subkeys

Each PMDB has its own registry subkey under:

HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd

This subkey contains the values that define and determine the activity of the PMDB. The sepmdd utility creates a subkey, if it does not already exist, with the minimum number of entries needed.

Notes

More information:

sepmd Utility

sepmdadm Utility—Create PMDB Definitions