Valid on Windows
CA ControlMinder Policy Model Service (sepmdd) is the PMDB service. It performs the following functions:
SeOSAgent starts the sepmdd service. There is no need to run sepmdd explicitly. The two possible states for each Policy Model are Started and Stopped.
The PMDBs are stored in a common directory. The registry value _pmd_directory_ in the subkey HKLM\Software\ComputerAssociates\AccessControl\Pmd specifies the name of the common directory. Each Policy Model resides in a subdirectory of the common directory. The name of the Policy Model is the name of the subdirectory in which it resides.
When sepmdd starts, it checks whether any subscriber databases need to be updated and, if necessary, updates them. After this startup process, the sepmdd service waits for user requests. User requests are sent by the Policy Model management utility sepmd and by selang using the CA ControlMinder Agent.
When a request is received, sepmdd applies it to the PMDB and sends the result back to the user. If the request should be propagated, sepmdd propagates the update to its subscriber databases.
The sepmdd service tries to update a subscriber database for 30 seconds. If this elapses and the service does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list. After it completes its first scan of the subscriber list, sepmdd then performs a second scan, in which it tries to update the subscribers that it did not succeed in updating during its first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).
If a subscriber is unavailable during the second scan, sepmdd attempts to send it updates every 30 minutes.
Since the updates must be sent in the order in which they are received, sepmdd does not send subsequent updates to the subscriber database until it becomes available.
Each time sepmdd fails to update a subscriber database, a warning message is written in the Policy Model error log.
Filter Mechanism
You may want your PMDB to update the subscriber stations below it selectively. To define which records to be sent to the subscriber stations, set the registry key string value to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
Here is an example:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd\PolicyModelName\Filter
A filter file consists of lines with six fields per line. The fields contain this information:
Valid values are: AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.
Valid values are: AC, CONFIG, UNIX, NT, or NATIVE.
Valid values include all classes in CA ControlMinder, including user‑defined classes.
For example: User1, AuditGroup, or COM2.
For example, including GROUPS and FULLNAME in the filter line for user records means that any command having those user properties is filtered. You must enter each property exactly as it appears.
Valid values are: PASS, NOPASS
Note: You can use an asterisk to mean “all possible values” in any field. If more than one line covers the same records, the first applicable line is used.
In each line of the filter file, spaces separate the fields. In fields with more than one value, separate the values with semicolons. Any line beginning with “#” is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:
CREATE |
AC |
USER |
* |
FULLNAME;OBJ_TYPE |
NOPASS |
form of |
environment |
class |
record name |
properties |
treatment |
If, for example, the file with this line is named Printer1_Filter.flt and the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd\PM‑\Filter contains the line “C:\Program Files\CA\Access Control\data\Printer1_Filter.flt,” then Policy Model PM‑1 will not send records that create new CA ControlMinder users with the FULLNAME and OBJ_TYPE (admin, auditor, and so on). The asterisk means “regardless of name.”
The selang commands that are relevant for each access value are:
Access |
selang Command |
---|---|
AUTHORIZE_DELETE |
authorize‑ |
AUTHORIZE_MODIFY |
authorize |
CREATE |
newres, newusr, newgrp, newfile |
DELETE |
rmres, rmusr, rmgrp, rmfile, join‑ (UNIX) |
DEPLOY |
deploy |
EDIT |
editres, editusr, editgrp, editfile |
FILESCAN |
search |
GET |
get devcalc |
JOIN_DELETE |
join- |
JOIN_MODIFY |
join |
MODIFY |
chres, chusr, chgrp, chfile, join (UNIX) |
READ |
list |
START |
start devcalc |
UNDEPLOY |
deploy- (undeploy) |
Note: CA ControlMinder does not validate rules; therefore, if you enter an invalid value in a rule, the rule will never match an update transaction.
Registry Subkeys
Each PMDB has its own registry subkey under:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd
This subkey contains the values that define and determine the activity of the PMDB. The sepmdd utility creates a subkey, if it does not already exist, with the minimum number of entries needed.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|