Configure Policies to Provision User Access to Devices and Applications

To configure the product to provision privileged access to devices and applications, you configure the following objects:
capam32
To configure the product to provision privileged access to devices and applications, you configure the following objects:
  • Devices
     – Represent physical devices and IP-addressable applications.
  • Users
     – Represent individuals who can log in to
    Privileged Access Manager
    .
  • Policies
     – Define the relationships between users (or 
    user groups
    ) and 
    d
    evices (or 
    device
     
    groups
    ), specifying what actions each user is permitted to do with each device.
In simplest terms, policies determine what Device access options appear on the 
Access
 screen of each logged in user and whether their sessions are recorded.
Symantec PAM
Access Policy
PAM Access Policy
This article describes these objects in more detail.
 
2
 
Devices
device 
object is a
Privileged Access Manager
-managed, IP-addressable network node that is the potential access 
target
 of a user. For example, a Windows or Linux system. You manage Devices from the 
Devices
Manage Devices
 screen in the UI.
When creating or importing devices, verify that the 
Access
 Device Type option is selected, or the device is not available in access policy selection lists.
The 
Password Management
 and 
A2A
 device types are related to credential management. For more information, see Protect Privileged Account Credentials.
Access Types
For each device, you specify one or more of the following 
access types
 to determine the ways in which it can be accessed:
  • Access Methods
    :
     
    Prepackaged applets that provide standard connectivity
  • Services
    : Configure services to extend the types of access beyond the predefined Access Methods to provide custom access to:
    • TCP/UDP Services
       
    • RDP Applications
       
Access types that are configured at the device level determine all the possible access options available when configuring a policy involving that device. The access type or types that are presented to a 
user
 are specified in the corresponding access policy.
Access Methods
Access Methods are standard prepackaged Java communications applets that run in the CA PAM Client or a supported browser. Access Methods are available for VNC, TELNET, SSH, RDP, and serial connections. Access methods are predefined with standard ports and available to assign to devices out-of-the-box. To modify the default ports or disable Access Methods go to 
Global Settings
Access Methods
.
TCP/UDP Services
Configure TCP/UDP Services to define custom access to known ports and to specific applications. These services may include fat client applications such as SQL query frontends, mainframe clients, or any proprietary application that uses a TCP or UDP connection. Web portals and web applications are also configured as Services.
Privileged Access Manager
includes several preconfigured SFTP/FTP Services that support common SFTP/FTP servers including OpenSSH‐derived Linux, AIX, Solaris SFTP, and Microsoft IIS implementations.
Configure other TCP/UDP Services (from 
Services
TCP/UDP Services
) before configuring device definitions that require them.
RDP Applications
Define RDP Applications to provide access to RemoteApps – single target-hosted 
applications that are published
 through RDP protocol – instead of allowing access to the entire desktop.
Configure RDP Applications (from 
Services
RDP Applications
) before configuring device definitions that require them.
Device Groups
For ease of administration, devices can be added and managed in groups. Devices in a 
device group
 are those which share common access methods and functionality, such as IIS Web Servers or UNIX and Linux variants. When using device groups, the concept of 
deny
 
 
takes precedence: So, when selecting the access types available to a group, access types that are unavailable at the device level are not available at the group level. In other words, the most restrictive policy is used when a conflict arises.
When choosing Access Methods and Services for device groups, include 
all
 possible access methods and services for 
all
 devices in the group.
Users
A
 user
 is a person who can log in to
Symantec PAM
. To simplify management, organize users in 
user groups
 for simplified management. Use
 roles
 to determine the permissions that a user has within
Privileged Access Manager
. User groups follow an inheritance model and roles can be assigned to groups and users.
Credential Manager has its own set of roles and user groups, separate from the roles and user groups defined for access.
User Groups
User groups
 
allow common sets of users to inherit the same role, authentication method, and other variables. User groups thus simplify management: a modification to the role for the group changes the role of all members. Groups can also be used when creating 
access policies
 instead of creating a policy for each individual user.
Roles
A role is a predefined set of privileges in a functional area.
Symantec PAM
has many predefined roles that satisfy most requirements. You can also create custom roles using built-in granular privileges. 
Standard user
 is the common role that is assigned to general users accessing devices. For a complete list of user roles, see User Roles.
User Configuration Methods
You can create local user accounts manually or you can import them from CSV files. Users can also be imported from and synchronized with an LDAP user store such as Active Directory. When configured for RADIUS or PKI, users are added when they 
first login 
to
Symantec PAM
.
Most
Symantec PAM
production deployments use LDAP or RADIUS for authentication.
Policies
A policy is a set of permissions that is granted to a
Symantec PAM
user or user group to access the interface of a
Symantec PAM
device or device group. For connections using the SSH and RDP access methods, you can even configure transparent (automated) login. Simply put, a policy defines the relationship between a 
user 
and a 
device
 
 
and
 
 
 
results in an access link or links appearing on the Access page of that user.
For example, the following screenshot shows the Access page for a user for whom a policy assigns the SSH Access Method to a device named UNIX-AUX.
  image2018-10-31_13-8-40.png  
A policy also optionally specifies whether to record all or some of the actions a user performs while accessing a device. Recording can be enabled based on the specified Access Type. 
Command line 
and 
bi-directional
 apply to SSH/Telnet and Mainframe sessions. Graphical recording is available for RDP connection and web portal types.
You can create policies manually or can import them from a CSV file.
Use Credential Manager to configure Policies with automated login.
More Information
 
To configure policies to provision user access to devices and applications, do the following procedures in the order shown: