How You Can Set Up a Hierarchy
uses the Policy Model service to propagate rule-based policy updates across the configured hierarchy. By subscribing several computers to the same PMDB, and by subscribing one PMDB to another, you create a hierarchy.
cminder140
Privileged Access Manager Server Control
uses the Policy Model service to propagate rule-based policy updates across the configured hierarchy. By subscribing several Privileged Access Manager Server Control
computers to the same PMDB, and by subscribing one PMDB to another, you create a hierarchy.To enable automatic rule-based policy updates, do the following:
- Create and configure the master PMDB.
- (Optional) Create and configure subscriber PMDBs.
- Define parent PMDBs for the subscribing computers (see page ), calledendpoints.
The following sections show how you set up a PMDB hierarchy. There are other ways of creating PMDBs and then setting their hierarchy. For a comprehensive discussion of the Policy Model utilities, see the
Reference Guide
. Create and Configure the Master PMDB
To let you manage policies from a central location, you first create and configure a master PMDB. On a local host, you can use the sepmdadm command.
The following procedure shows the interactive form of the sepmdadm command. For information about using the commandline parameters for all input, see the
Reference Guide
. Follow these steps:
- In a command line, enter the following command:
sepmdadm i
Privileged Access Manager Server Control
starts the Policy Model database administration script (sepmdadm) and displays a menu with options for you to choose from. 2. Enter 1, to select the first option (create a master PMDB and define its subscribers).
The script is configured to ask you the relevant questions.
3. Press Enter to continue.
The script continues to ask you the first question.
Privileged Access Manager Server Control
is not running, the script issues a warning and lets you start Privileged Access Manager Server Control
before the script is rerun. 4. Enter a name for the Policy Model you want to create.
The script registers the Policy Model name and continues.
: The first character for a PMDB name should consist of the alphanumeric characters '-' and '_'.
5. Enter the name of the first subscriber computer you want to specify.
The script registers the name of the first subscriber and then asks you to enter the name of the next subscriber.
6. Continue to enter subscriber names as necessary, then press Enter without entering a subscriber name.
The script registers all subscriber names and continues.
You still must point each subscriber computer to its parent PMDB.
7. If you are running NIS, NIS+, or DNS, choose whether you want to update the NIS/DNS tables with PMDB changes.
Updates are made to users and groups in the PMDB. The tables provide information on users and their characteristics. If you choose yes, a UNIX user or UNIX group that is updated through the Policy Model is also updated in the NIS passwd and group files.
8. Enter
y
if you want to update the NIS/DNS tables. The script now asks you for the location of the NIS passwd and group files.
9. Enter the full path of the NIS password file.
The script registers the full path and continues.
10. Enter the full path of the NIS group file.
The script registers the full path and continues.
11. Enter
n
or press Enter if you want to update the NIS/DNS tables. The script registers your answer and continues.
12. Enter the users that you want to give special attributes for the PMDB:
13. Enter
Privileged Access Manager Server Control
administrator names as necessary, then press Enter without entering an administrator name.Administrators are authorized to change the properties of the PMDB.
At least one administrator must be defined in a PMDB (
root
is the default). 14. Enter enterprise user administrator names as necessary, then press Enter without entering an administrator name.
15. Enter
Privileged Access Manager Server Control
auditor names as necessary, then press Enter without entering an auditor name. Auditors are authorized to view the PMDB audit log files
16.Enter enterprise user auditor names as necessary, then press Enter without entering an auditor name.
17. Enter
Privileged Access Manager Server Control
password manager names as necessary, then press Enter without entering a password manager name. 18. Enter enterprise user password manager names as necessary, then press Enter without entering a password manager name.
Password managers are authorized to change passwords in the PMDB.
The script registers your answer and continues.
19. Enter administration terminals as necessary, then press Enter without entering an administration terminal.
The script registers all administration terminals and then reports the selections that you have made and asks you to confirm them.
20. Press Enter to confirm the selections you have made, or enter
n
to rerun the script with new inputs. If you confirm your selections, a new PMDB is created using the answers that you supplied.
Create and Configure Subscriber PMDBs
Once you have a master PMDB configured, if you want to extend your hierarchy, create and configure subscriber PMDBs. On a local host, you can use the sepmdadm command.
The following procedure shows the interactive form of the sepmdadm command. For information about using the commandline parameters for all input, see the
Reference Guide
. Follow these steps:
- In a command line, enter the following command:
sepmdadm i
Privileged Access Manager Server Control
starts the Policy Model database administration script (sepmdadm) and displays a menu with options for you to choose from. 2. Enter 2, to select the second option (create a subsidiary PMDB and define its subscribers and parent.).
The script is configured to ask you the relevant questions.
3. Press Enter to continue.
The script continues to ask you the first question.
4. Enter a name for the Policy Model you want to create.
The script registers the Policy Model name and continues.
5. Enter the name of the first subscriber computer you want to specify.
The script registers the name of the first subscriber and then asks you to enter the name of the next subscriber.
6. Continue to enter subscriber names as necessary, then press Enter without entering a subscriber name.
The script registers all subscriber names and continues.
Note:
You still must point each subscriber computer to its parent PMDB . 7. Enter the name of the parent PMDB.
The script registers the parent PMDB name and continues.
: sepmdadm only lets you enter one parent for each subscribing database. You can, however, define multiple parents for each database. To do this, modify the parent_pmd token of the pmd.ini configuration file. For more information about using this token, see the
Reference Guide
. 8. If you are running NIS, NIS+, or DNS, choose whether you want to update the NIS/DNS tables with PMDB changes.
Updates are made to users and groups in the PMDB. The tables provide information on users and their characteristics. If you choose yes, a UNIX user or UNIX group that is updated through the Policy Model is also updated in the NIS passwd and group files.
9. Enter
y
if you want to update the NIS/DNS tables. The script now asks you for the location of the NIS passwd and group files.
10. Enter the full path of the NIS password file.
The script registers the full path and continues.
11. Enter the full path of the NIS group file.
The script registers the full path and continues.
12. Enter
n
or press Enter if you want to update the NIS/DNS tables. The script registers your answer and continues.
13. Enter the users that you want to give special attributes for the PMDB:
14. Enter
Privileged Access Manager Server Control
administrator names as necessary, then press Enter without entering an administrator name. Administrators are authorized to change the properties of the PMDB.
At least one administrator must be defined in a PMDB (
root
is the default). 15. Enter enterprise administrator names as necessary, then press Enter without entering an administrator name.
16. Enter
Privileged Access Manager Server Control
auditor names as necessary, then press Enter without entering an auditor name. Auditors are authorized to view the PMDB audit log files.
17. Enter enterprise user auditor names as necessary, then press Enter without entering an auditor name.
18. Enter
Privileged Access Manager Server Control
password manager names as necessary, then press Enter without entering a password manager name. Password managers are authorized to change passwords in the PMDB.
19. Enter enterprise user password manager names as necessary, then press Enter without entering a password manager name.
The script registers your answer and continues.
20. Enter administration terminals as necessary, then press Enter without entering an administration terminal.
The script registers all administration terminals and then reports the selections that you have made and asks you to confirm them.
21. Press Enter to confirm the selections you have made, or enter
n
to rerun the script with new inputs. If you confirm your selections, a new PMDB is created using the answers that you supplied.
Define Parent PMDBs for Subscribing Computers
To establish an endpoint computer as a subscriber to a PMDB, you must do more than register the subscriber's name in the PMDB. You also need to complete a procedure at the subscriber computer.
To define parent PMDBs for subscribing computers
- In a command line on the subscriber computer, start sepmdadm in interactive mode:
sepmdadm i
Privileged Access Manager Server Control
starts the Policy Model database administration script (sepmdadm) and displays a menu with options for you to choose from. 2. Enter 3, to select the third option (define the parent and password PMDBs of the local host).
The script is configured to ask you the relevant questions.
3. Press Enter to continue.
The interactive script continues to ask you the first question.
If
Privileged Access Manager Server Control
is running, the script issues a warning and lets you stop Privileged Access Manager Server Control
before the script is rerun. 4. Enter the name of the parent PMDB.
The script registers the name of the parent PMDB name and continues.
5. Enter the name of the parent password PMDB.
The script registers the name of the parent password PMDB name and then reports the selections you have made and asks you to confirm them.
6. Press Enter to confirm the selections you have made, or enter
n
to rerun the script with new inputs.If you confirm your selections, the subscriber computer is set up with these inputs.
sepmdadm only lets you enter one parent for each subscribing database. You can, however, define multiple parents for each database. To do this, modify the parent_pmd token of the seos.ini configuration file. For more information about using this token, see the
Reference Guide
.