Administration Guide › Policies

Policies

Creating custom roles requires the editing of predefined policies and the creation of custom policies. Before you begin these tasks, it is helpful to examine the predefined policies associated with each of the predefined roles. It is a good practice to back up predefined access policies before doing any editing.

This section contains the following topics:

Introduction to Policies

Predefined Access Policies

Back Up All Access Policies

Restore Access Policies

Introduction to Policies

An access policy is a rule that grants or denies an identity (user or user group) access rights to an application resource or a global resource. CA User Activity Reporting Module determines whether policies apply to the particular user by matching identities, resources, resource classes, and evaluating the filters. That is, a policy states the actions that are granted or denied to specific identities on specific resources. Policies that deny access to a given resource have precedence over policies that grant access to the same resource.

CA User Activity Reporting Module supports the following types of access policies:

• CALM Access policies
• Delegation policies
• Dynamic User Group policies (an alternative approach to custom application groups)
• Obligation policies (created automatically when you create an access filter)
• Scoping policies

CA User Activity Reporting Module is installed with predefined CALM access policies and scoping policies for three CA User Activity Reporting Module application user groups: Administrator, Analyst, and Auditor. These policies are sufficient if you plan to assign only the out-of-the-box application user groups to users performing the various roles.

Important! We recommend that you take a backup of the predefined policies that are provided with CA User Activity Reporting Module. If a CALM Access policy is inadvertently deleted, users cannot access CA User Activity Reporting Module until that policy is restored from a backup.

Predefined Access Policies

If you use the out-of-the-box features, where you assign a predefined application group (Administrator, Analyst, or Auditor) as the role for each user, you do not need to create any access policies. All required policies are predefined and are ready for use.

Examine Policies for All Users

You can examine policies for all users. Edit the CALM Application Access policy to define custom roles. All custom roles must be added as identities to this policy.

To examine policies for all users

1. Click the Administration tab and then click the User and Access Management subtab.
2. Click Access Policies in the left pane.
3. Display the CALM Application Access policy as follows:
   1. Select Show policies matching name.
   2. Enter CALM*.
   3. Click Go.
4. Examine the CALM Application Access policy.

   This policy grants read and write access to the listed resources for all members of the default application user groups (Administrator, Analyst, and Auditor) and to others who use the CA User Activity Reporting Module API:

   

   The listed resources are as follows:

   • The ApplicationInstance resource is CAELM, which refers to the CA User Activity Reporting Module product.
   • Policy refers to access policies.
   • User is any user added to a CA User Activity Reporting Module application user group.
   • GlobalUser is any user defined in the user store within CA User Activity Reporting Module or referred to from CA User Activity Reporting Module.
   • AppObject with the pozFolder value to the Profiles folder refers to profiles.
   • AppObject with the pozFolder value to the flex folder refers to the dynamic time range XML used to populate the time ranges drop-down list in the Result Conditions step of query-based wizards.

   The filter for CALM application access specifies the action limitations on each resource.

   

5. Search for policies for all users as follows:
   1. Click Access Policies in the left pane.
   2. Select Show policies matching identity. Clear other selections.
   3. Enter [All Identities] in the Add identity field.
   4. Click Add.
   5. Click Go.

   Four policies appear, including the CEG Policy and the Default Data Access Policy. (If you do not explicitly enter [All Identities], many additional policies display.)

6. Examine the Default Data Access Policy.

   The predefined Default Data Access policy on the CALM resource class grants all users access to CA User Activity Reporting Module data to the extent specified in an access filter. An access filter is translated into an obligation policy with the FulfillOnGrant Action to dataaccess/CALM/Data.

   

7. Examine the scoping policy, CEG Policy.

   The predefined CEG Policy grants all users with CALM Application Access the ability to view Common Event Grammar fields. Therefore the CEG fields appear in drop-down lists for simple and advanced filters for all users, because all users can set global and local filters for the queries they run. Users with rights to create and edit queries can set the filters for the queries they create and edit. This policy also helps ensure that all users can view the Global Configuration settings.

   

   

Examine Policies for Auditors

You can examine the predefined policies for Auditors to see how they limit application access to resources required to perform the following tasks.

• Schedule and annotate reports
• View reports

To examine predefined policies for Auditors

1. Click the Administration tab and the User and Access Management subtab.
2. Click Access Policies in the left pane.
3. Search for policies for Auditors as follows:
   1. Select Show policies matching identity.
   2. Enter ug:Auditor in the Add identity field.
   3. Click Add.
   4. Click Go.

   All policies for [All Identities] and ug:Auditor appear.

4. Examine the Auditor Schedule-Annotate Rights policy.

   All CALM access policies define the actions that can be performed against application-specific resources. This policy grants users assigned the application user group, Auditor, the ability to schedule and annotate reports.

   

   Compare this policy with the Analyst Create-Schedule-Annotate policy and the Administrator Create policy.

5. Examine the Analyst Auditor Report Server Access Policy.

   This scoping policy gives Auditors the ability to set the report destination to any Report Server and to create a federated report, which requires access any Event Log Store. The resource listed in the policy is AppObject, where the application objects are the Report Servers and Event Log Stores.

   

   

   Note: For a given CALM Access policy, that is, policy for the CALM Resource Class, there is typically a related scoping policy for the SafeObject resource class.

6. Examine the Auditor View Report policy.

   This scoping policy grants users read access to reports. The resource listed in the policy is AppObject.

   

   AppObject is limited to a specific application resource with a filter that grants the right to view reports. The path is an EEM folder path that stores the content of all reports.

   

Examine Policies for Analysts

You can examine the predefined policies for Analysts to see how they limit application access to resources required to perform the following tasks:

• Schedule and annotate reports (Auditor tasks)
• View reports (Auditor task)
• Create reports and tags
• Create and schedule alerts (queries)
• Edit reports, alerts, and tags

To examine predefined policies for Analysts

1. Click the Administration tab and the User and Access Management subtab.
2. Click Access Policies in the left pane.
3. Search for policies for Analysts as follows:
   1. Clear the checkmark for Show policies matching name.
   2. Select Show policies matching identity.
   3. Enter ug:Analyst in the Add identity field.
   4. Click Add.
   5. Click Go.
4. All policies for ug:Analyst appear, including [All Identities] that includes this user group.
5. Examine the Analyst Create-Schedule-Annotate policy.

   This CALM access policy defines the actions that can be performed against application-specific resources. The policy grants users assigned the CA User Activity Reporting Module application user group, Analyst, the ability to create, schedule, and annotate reports, create and schedule action alerts, and create tags. (Auditors can only schedule and annotate reports.)

   

6. Examine the Analyst Auditor Report Server Access Policy.

   This scoping policy grants Analysts schedule rights for any Report Server. The resource listed in the policy is AppObject.

   

   AppObject is limited to specific resources with filters.

   

   • The filter ending in calmReporter grants read access to all Report Servers. When a report is scheduled, the destination Report Servers from which the generated report can be viewed is specified.
   • The filter ending in logDepot grants access to all Event Log Stores. When a report is defined as federated, queries are run against the data in all eligible Event Log Stores. Eligibility depends on the position in the hierarchy of the server on which the report is initiated, in hierarchical federations.
7. Examine the Analyst Report View-Edit policy.

   This scoping policy grants users assigned the Analyst role the ability to view, edit, or delete any report. The resource specified in the policy is AppObject.

   

   AppObject is limited to reports by the following filter, which grants the right to view generated reports saved in the EEM Folder /CALM_Configuration/Content/Reports.

   

   Note: The ability to edit reports granted by this policy is extended by the CEG policy, which grants the right to add filters to reports using CEG columns.

Examine Policies for Administrators

Administrators assign the Administrator role to users who are to have full access to the CA User Activity Reporting Module application and all of its features. You can examine the predefined policies for Administrators to see how to grant access to those users who are to perform the following tasks:

• Create EventGrouping, that is, create suppression and summarization rules using common event grammar.
• Create Integration, that is, create data mapping and message parsing files using common event grammar.
• Create EventForwarding, that is, create rules to forward events to third-party systems.
• Run Database, that is, query with Archive Catalog Query for the names of databases that have been backed up and moved to an external archive solution.
• View or edit policies.
• View or edit user-defined calendars.
• View or edit any application object. Application objects are report templates, query templates, scheduled report jobs, alert jobs, profiles, service configurations, data mapping (DM) files, message parsing (XMP) files, suppression and summarization rules, and event forwarding rules.
• Create filters with the iPoz attribute of AppObject.
• View the folders listed under Administration, User and Access Management, EEM Folders and edit any user-defined data in these folders.
• View or edit details for any application user, application user group, or global user.
• Any Analyst or Auditor tasks.

To examine predefined policies for Administrators

1. Click the Administration tab and then click the User and Access Management subtab.
2. Click Access Policies in the left pane.
3. Search for policies for Administrators as follows:
   1. Select Show policies matching identity.
   2. Enter ug:Administrator in the Add identity field.
   3. Click Add.
   4. Click Go.

   All policies for [All Identities] and ug:Administrator appear.

4. Examine the CALM access policy, Administrator Create Policy.

   This policy defines the actions that can be performed against application-specific resources. The policy grants users assigned the application user group, Administrator, the ability to perform the specified actions as they apply to the specified resources.

   

5. Examine the CALM access policy, Admin Agent Manager Policy.

   The policy grants Administrators the right to create agent groups, edit all agent groups, configure connectors, and create integrations. The policy lets Administrators edit the Agent Authentication Key for the application instance of the CA User Activity Reporting Module server to which the agent transfers collected events. By default, the configured Agent Authentication Key applies to all CA User Activity Reporting Module servers across application instances, but can be set to be unique to the application instance.

   

6. Examine the scoping policy, Administrator Default Policy.

   This policy grants Administrators the right to view, edit, or delete the listed resources. The listed resources are not specific to CA User Activity Reporting Module, and AppObject. AppObject refers to application-specific objects, which are resources listed in the CALM Administrator Create policy and in the CALM Admin Agent Manager policy.

   

Access Policies for Registered Products

When a product is registered with CA User Activity Reporting Module, a new certificate is generated and certain access policies are updated to allow read only access to all tags, queries, and reports. Specifically, the certificate name that is used to authenticate the registered product is added as the Identity cert name to the following policies:

• CALM Application Access
• Analyst Auditor Report Server Access Policy
• Analyst Report View-Edit policy

The addition of the certificate name to the policies lets users of any CA product, third-party product, or CA customer get a list of queries and reports by tag. These users can display the lists within their own user interface and retrieve the refined event data they need.

Back Up All Access Policies

Exporting predefined access policies is a recommended way of preserving a backup in the event an access policy is inadvertently deleted or corrupted.

Important! Since corruption to policies can occur during a system or CA EEM service restart, it is important to have a current backup to restore. In addition, you should back up CA EEM periodically, for example, after an installation of a new CA User Activity Reporting Module and after creating custom policies.

You can export all of the policies for each type of access policy. When you export policies, an XML file is generated for each policy of the selected type. The XML files are zipped into a zip file named CAELM[1].xml.gz that contains the CAELM[1].xml document. You save the exported zip file to a directory of your choice.

Before you can restore your saved backup file, you need to copy them to the following directory of the CA User Activity Reporting Module with the internal user store: /opt/CA/LogManager/EEM. You can do this copy after a save to your local directory or wait and copy them only if a restore is needed.

The format in which policies are exported depends on the number of objects being exported.

• filename.tar.gz is used if there is a huge number of exported objects
• filename.xml.gz is used if there is a small to moderate number of exported objects

It is a good practice to rename filename (CAELM[n]), in a meaningful way when you do the export. For example, export the files from the three policy folders containing predefined policies as CAELM_CalmAccessPolicies, CAELM_EventPolicies, and CAELM_ScopingPolicies.

Note: The same extensions, xml.gz or tar.gz, must be maintained.

You can extract the XML file containing the access policy definition from the zip file and use it as input to the safex utility, used to restore the access policy.

To back up all access policies

1. Click the Administration tab and then click the User and Access Management subtab.
2. Back up the predefined CALM access policies as follows:
   1. Click the Access Policies button.
   2. Click CALM.

      That policy table, Access Policies - "CALM" appears

   3. Click the Export button.
   4. The File Download dialog appears with options to open or save.
   5. (Optional) Click Open to open the zip file, CAELM[1].xml.gz. Double click CAELM[1].xml to examine the file in XML format.
   6. Click Save to save the file.

      The Save As dialog appears.

   7. Select the target folder for save in, change the file name if desired, and click Save.

      If you do not change the file name, the zip file is saved as CAELM[1].xml.gz.

   8. Click Close.

      The Download Complete dialog closes. The policy list remains displayed in the left pane.

3. Back up the predefined Event Policies as follows:
   1. Click Event Policies.

      That policy table, Event Policies appears

   2. Click the Export button.
   3. The File Download dialog appears with options to open or save.
   4. Click Save to save the file.

      A message appears asking whether you want to replace the existing CAELM[1].xml.gz file.

   5. Click No.
   6. Enter a unique name in the file name field and click Save. For example, edit the entry to CAELM[2].xml.gz or enter a name for the policy type such as CAELM_EventPolicies.
   7. Click Close.

      The Download Complete dialog closes. The policy list remains displayed in the left pane.

4. Back up the predefined Scoping Policies as follows:
   1. Click Scoping Policies.

      That policy table, Scoping Policies appears

   2. Click the Export button. You may need to scroll horizontally to view the button in the top right corner.
   3. The File Download dialog appears with options to open or save.
   4. Click Save to save the file.

      A message appears asking whether you want to replace the existing CAELM[1].xml.gz file.

   5. Click No.
   6. Enter a unique name in the file name field and click Save. For example, edit the entry to CAELM[3].xml.gz or enter a name for the policy type such as CAELM_ScopingPolicies.
   7. Click Close.

      The Download Complete dialog closes. The policy list remains displayed in the left pane.

5. Click Close.

   The Access Policies list closes.

Example --CAELM[1].xml for CALM Access Policies

Following is an entry for one policy in the CAELM[1].xml file.

More information:

Manually Backing Up Archived Databases

Preserving Predefined Access Policies

Back Up a CA EEM Application Instance

Restore Access Policies

You can restore an access policy that has been deleted or changed in a way that causes problems. If an access policy is accidentally deleted or corrupted, users referenced as Identities in that policy cannot access CA User Activity Reporting Module until that policy is redefined or restored.

Restoring access policies requires running the safex utility for policies.

Use one of the two following procedures, depending on whether your export created a backup file with the xml.gz extension or the tar.gz extension.

To restore access policies from a backup named filename.xml.gz

1. Copy your saved backup files to following directory of the management CA User Activity Reporting Module, typically the first server installed.

    /opt/CA/LogManager/EEM
   

2. Run the following command to retrieve the XML file:

   gunzip filename.xml.gz 
   

   This creates filename.xml.

3. (Optional) If you want to restore only one of the policies in the group that you backed up, do the following:
   1. Open the XML file.
   2. For the policies you do not want to restore, delete the XML lines beginning and ending with the following tags:
      <Policy folder="/ name=policyname> and </Policy>
   3. Save the file.
4. Execute the following command, where eemserverhostname refers to the host name of the management CA User Activity Reporting Module.

   ./safex -h eemserverhostname -u EiamAdmin -p password -f filename.xml
   

   When the CA User Activity Reporting Module server is in FIPS mode, be sure to include the -fips option.

   The policy or policies defined in filename.xml being restored are added to the appropriate policy type and put into effect.

To restore access policies from a backup named filename.tar.gz

1. Copy your saved backup files to following directory of the management CA User Activity Reporting Module, typically the first server installed.

    /opt/CA/LogManager/EEM
   

2. Run the following command to retrieve the XML file.

   gunzip filename.tar.gz
   

   This creates filename.tar.

3. Run the following command:

   tar -xvf filename.tar 
   

   This creates filename.xml.

4. (Optional) If you want to restore only one of the policies in the group that you backed up, do the following:
   1. Open the XML file.
   2. For the policies you do not want to restore, delete the XML lines beginning and ending with the following tags:
      <Policy folder="/ name=policyname> and </Policy>
   3. Save the file.
5. Execute the following command, where eemserverhostname refers to the host name of the management CA User Activity Reporting Module.

   ./safex -h eemserverhostname -u EiamAdmin -p password -f filename.xml
   

To recreate the CALM Access Policy if you have no backup

If you have no backup, you can recreate the CALM Application Access policy.

1. Recreate the CALM Application Access policy. See "Predefined Policies."
2. Define the filters as shown in the following illustration. The partial paths are:
   • /CALM_Configuration/Content/Profiles
   • /CALM_Configuration/flex

     

   The presence of this policy enables any Administrator to log in and create the other policies.

More information:

Back Up All Access Policies