Configure Access Policies

To enforce device access rules for specific users and user groups, you create policies. Policies for associating users and devices can be created at a granular level (device and port). Each user then has access only to devices and applications that they require to do their jobs.
To enforce device access rules for specific users and user groups, you create policies. Policies for associating users and devices can be created at a granular level (device and port). Each user then has access only to devices and applications that they require to do their jobs.
A policy
is a set of configuration values identifying permitted or required:
    Access types
     (access method applets, TCP/UDP, and application services)
    Access restrictions
     (command filters, socket filters)
     (which involve Devices and resident applications)
     (graphical or command line)
A policy specifies the interactivity between a registered user or user group (including LDAP and RADIUS) 
a managed device or device group.
After a user logs in to a device using the policy assignments, the appliance can:
  • Record user activity
  • Perform command and socket filtering
  • Terminate user leapfrog attempts
This article contains the following information:
Access Provisioning
The access capabilities that you provide for a device are available for specification in policies. See Set Up Access to a Target Device for information about setting up access capabilities for Devices. 
Access Restrictions
Through a Policy, these restrictions to device or device group access can be imposed on a particular User or User Group:
  • Command Filtering
  • Socket Filtering
Command Filtering
You can use command filter lists to enforce policies in the command line applets TELNET, SSH, and serial consoles.
Both Command Filtering and Socket Filtering use whitelists and blacklists to set the appropriate policy.
  • A command-filtering 
     is a list of commands that a user 
    type. If the user attempts to type the command, the appliance can flag (log), alert, re-mediate, and stop the command from being processed. All other commands are allowed.
  • A command filtering 
     is a list of the commands that a user 
     type. All other commands are prohibited.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
The Command Filter Configuration (CFC) sets the behavior of the blacklist and whitelist command filters.
Example Alert
From: [email protected]
To: [email protected]
Subject: Alert Msg from xsuite1
Date/Time: Fri, 1 Oct 2010 14:09:05
User ID: Traveler123
User Source IP:
Violation on: LinuxBox12
Captured Keystrokes: rlogin
Socket Filtering
Socket Filter Agents (SFAs) are 
Privileged Access Manager
 components that are used to restrict access either to server-based devices or from server-based devices. Socket filters provide a different kind of access control than devices with finite command sets, such as routers, for which command filtering is applied.
Three components are required:
  • Socket Filter Lists – to define either a socket blacklist (specifying where access is prohibited) or whitelist (specifying where access is allowed)
  • Socket Filter Agents – to apply rules that are specified by Socket Filter Lists and used in Policies.
  • Socket Filter Configuration – to apply agent behavior across all 
    Privileged Access Manager
    -managed devices using socket filter agents.
Socket Filter Lists (SFLs)
Socket Filter Lists define groups of servers or networks that can be applied to a policy for leapfrog prevention.
Socket Filter Agents (SFAs)
Once a Socket Filter Agent is deployed and a user connects through 
Privileged Access Manager
 to the host Device, the SFA downloads the user policy. The SFA then enforces at the Device any blacklist or whitelist filters. A blacklist contains devices and ports that user is prevented from accessing. A whitelist identifies the only devices and ports that a user can connect to. The SFA does not inspect or disturb any other connections to that Device, such as production web traffic or 
Privileged Access Manager
 users who are not restricted.
SFAs can be installed on Windows and Linux devices. The Linux root account is exempt from SFA rules and restrictions. Windows administrator accounts are subject to SFA rules and restrictions.
Socket Filter Configuration (SFC)
Global values that affect the behavior of the socket filter agents are found under Socket Filter Configuration, accessible through the Policies menu.
We recommend that you verify your organization policies before setting up socket filtering. Network heartbeat checks might not be allowed.
Session Recording
In addition to the access controls that are applied in advance, session recording can be assigned to a policy, providing a view of User actions after the fact. As recordings, they simulate the environment of the User to provide a view into what transpired during a connection session.
Privileged administrators also apply control during sessions with the ability to terminate a connection session or log a User off 
Privileged Access Manager
, while 
Privileged Access Manager
 logging is another during, or post, session tracking resource.
In the command-line applets, TELNET, SSH, and Console user keystrokes can be recorded. Graphical session recording is available with the RDP and VNC applets.
Recordings are identified in the GUI as line items. They can be searched with variable text filtering. When a recording identifies a User violation, this fact is marked inside the recording as the User views it. The line item record is also highlighted in bold red.
The session recording logs are not stored on 
Privileged Access Manager
. The session recording files can be stored on mount points or sent to a syslog consolidation server.
Use a directory mounted to a Windows or UNIX server for session recordings to be available through the administration interface. The session recordings can be viewed in 
Session Recordings
Session Recording policy is set for a user/user group – device/device group pair in 
Policies, Manage Policies
In the 
  • Selecting 
    Command Line
     records user entry, and if 
     is selected, 
    Privileged Access Manager
     records both the user and device responses.
  • Selecting 
     records the user GUI interaction with the Windows server as a movie that can be played, stopped, and replayed from any point.
Overlapping Policies
A user can be a member of a group policy and can have an individual policy for the same device. That user can also have access to an individual device and to a device group that includes that device. Therefore, users might have differing parameters set in overlapping policies. 
Privileged Access Manager
 follows these rules when combining features from different policies that pertain to a user-device association:
Session Recording
If any policy involving the user and the device enables session recording, session recording is enabled.
Whitelists and Blacklists
Whitelists are added together so that the more whitelists for a user, the more options the user has.
Blacklists are added together so that the more blacklists for a user, the more commands are blocked for that user.
If both whitelists and blacklists exist, then access to the relevant applets and service is disabled. When a user tries to launch them, they get a general error message in the UI. The audit log has a detailed message explaining the conflict.
Amazon Web Services (AWS)
When a connection is made to AWS after populating the 
3rd Party
 settings, the 
Manage Policies
AWS Policies
 link interface is established for specifying an  AWS IAM Policy.
Defining AWS Policies
AWS policy is applied for AWS privileges when accessing the AWS management interface. Initially, the editing window 
Manage AWS Policies
 holds two default versions, but you can edit or create an IAM policy.
Privileged Access Manager
 is designed to pass an IAM Policy to AWS, AWS does not accept an 
AWS Policy
 that is "too lengthy." The length limit is not a predictable value, but can be evaluated by AWS before processing to avoid errors. Therefore, 
Privileged Access Manager
 sends all submitted policies to AWS for preprocessing. If the size limit is exceeded, an error message is relayed to the 
Privileged Access Manager
 Some guidance on permitted length is provided in this AWS Forum thread: 
Specifying AWS Policies
When a Service has been configured for access to the AWS management interface, the credential specification pop-up window in the Manage Policy interface also provides for the IAM policy specification through the 
AWS Policy
 field at the right-hand side of the pop-up window. 
More Information
For more information, see the following articles: