Set Up a Policy
Describes how to configure a policy to a user-device pair to define user access to the device.
As an administrator, configure a policy to a user-device pair to define user access to the device.
Assign a policy using one of the following methods:
A policy can also be applied based on inheritance from a parent group.
effective policyspans these categories, as the union of all policy assignments. It reflects the range of device and access options available to a user as represented on the
Accesspage. As an administrator, you can view a user effective policy in
CA PAMalso dynamically adds devices and target accounts to the
Accesspage of a user if those devices and target accounts are members a of a Credential Manager target group that is referenced by a Credential Manager user group to which the user belongs. For more information, see Dynamic Addition of Devices to the Access Page Based on Credential Manager Target Group Membership.
The configuration of a device provides a template for choosing access methods are allowed for a particular user. The scope of this template has previously been defined by the attributes that are assigned in the device record.
policycan exist between every match of each of the first (users and user groups) with each of the second (devices and device groups). For example, if there are three users and three devices, after matching each user with each device, there could be up to nine different policies. For information about overlapping policies, see Overlapping Policies on Configure Access Policies.
For information about Credential Manager password policies, see Set Up Password Composition and View Policies.
- Session recording activation requires that storage is configured in advance on theConfiguration,Logs, Session Recordingpage.
- The components of the policy first so that they are available to include in a policy.Define users, devices, access types, services, and filters.
Create an association with a user and device using the policy template. To import policies using a CSV file, see Import or Export Policies.
These procedures begin from the Policy menu. However, for some user records, you can edit a policy template from the user record by selecting
Follow these steps:
- SelectPolicies,Manage Policies.
- Completeoneof the following actions:
- Create a new policy by clickingAdd.
- Select an existing policy record and clickUpdate. If the policy record is not listed, find it by selecting the User/User Group or Device/Device group search criteria at the top of the screen.
- If you are adding a new policy, use the fields in theAssociationsection to locate the user or device that you want to associate in a policy.
- For theUserorUser Groupfield, use the search icon to display the list of choices, and select the matching full name from the drop-down list. SelectOK.
- For theDeviceorDevice Groupfield, use the search icon to display the list of choices, and select the matching full name from the drop-down list. SelectOK. If you select a device group, only those access methods that are specified for the group are displayed.
- On theAccesstab, select one or more entries from the list and move it to the Selected Access list.
- On theServicestab, select one or more services available for a provisioned device.
- On theSAMLtab, set SAML options as appropriate. (SAML must already be configured for anything to show here.)
- On thePasswordtab, select the passwords the user or user group can manage. Then, select from the available device or device group defined target applications. When you select a target application, you can also select one or more provisioned target accounts for that application that the user can manage.For AWS AMI instance on UNIX and Linux devices, only EC2 keys auto-populate as options.
- If Socket Filter Agents are installed in the environment, select the available command and socket filters to assign to the black and white lists on theFilterstab. The filters listed are those set up in theFiltersoption of the UI. Select theRestrict login if agent is not runningcheck box.
- If the product cannot detect a running SFA on the device and an SFA-monitored connection is attempted, the login is rejected. Unmonitored connection instances are never rejected by selecting this option.
- SFAs monitor the following connections: Access Method GUI, CLI, and mainframe applets; and RDP, VNC, and ICA Services.
- SFAs do not monitor: standard (customized) Services and Web Portal Services.
- If session recording capability is configured, specify the types of recording to make using the options on theRecordingtab. Set one or more of the following available options (availability depends on the selected access methods on theAccesstab):
- Graphical(available for RDP and VNC access methods): Record user activity graphically.
- Command Line(available for TELNET, SSH, and Console access methods): Record user activity on the target device as plain text.
- Bidirectional(applicable for command line recordings only): Record command line output from the operating system or application and input that the user types. Bidirectional recording is required for SSH Proxy applets. All mainframe-access applets apply bidirectional session recording when you enable recording.
- Web Portal(available for VNC access method only): Record user activity on the web portal graphically.
- On Violation(only valid if no other recording options are set): Start recording only when a user causes a violation against a Command Filter or Socket Filter during a session. The recording continues until the user ends the connection session.
- ClickOK. You return to the Policies list.The activated device or password access is now available for execution from the Access page of the user.
Junos Configuration Required for Viewing Session Recordings
To view session recordings when
Privileged Access Manageris accessed through a Juniper SA appliance, configure a policy for allowing custom headers.
Follow these steps:
- Navigate to Resource Policies, Web, Custom Headers.
- Create a policy.
- Specify the IP address of the web portal resource that this policy applies to, with protocol specification, for example:https://192.0.2.123
- Select the allow custom headers action.