Provision Access Policies

To enforce access rules for specific users and user groups. Policies for associating users and devices can be done at a granular level (device and port). Each user then has access only to devices and applications that they need to do their jobs.
capam33
To enforce access rules for specific users and user groups. Policies for associating users and devices can be done at a granular level (device and port). Each user then has access only to devices and applications that they need to do their jobs.
A
policy
is a set of configuration values identifying permitted or required:
  • Access types
    (access method applets, TCP/UDP, and application services)
  • Access restrictions
    (command filters, socket filters)
  • Passwords
    (which involve Devices and resident applications)
  • Recording
    (graphical or command line)
A Policy specifies the interactivity between:
  • one registered user or user group (including LDAP and RADIUS)
and
  • one managed device or device Group
After a user logs in to a device using the policy assignments, the appliance can:
  • Record user activity
  • Perform command filtering
  • Terminate user leapfrog attempts
Access Provisioning
The access capabilities that you provide for a Device are available for specification in Policy. See Set Up Access to a Target Device for information about setting up access capabilities for Devices.
Access Restrictions
Through a Policy, these restrictions to Device or Device Group access can be imposed on a particular User or User Group:
  • Command Filtering
  • Socket Filtering
Command Filtering
You can use command filter lists to enforce policies in the command line applets TELNET, SSH, and serial consoles.
Both Command Filtering and Socket Filtering use whitelists and blacklists to set the appropriate policy.
  • A command-filtering
    blacklist
    is a list of commands that a user
    cannot
    type. If the user attempts to type the command, the appliance can flag (log), alert, re-mediate, and stop the command from being processed. All other commands are allowed.
  • A command filtering
    whitelist
    is a list of the commands that a user
    can
    type. All other commands are prohibited.
Command filter whitelists cannot be configured for Mainframe TN3270 and TN5250 applets.
The Command Filter Configuration (CFC) sets the behavior of the blacklist and whitelist command filters.
Command Filter Alerts Example
From: [email protected]
To: [email protected]
Cc:
Subject: Alert Msg from xsuite1
-------------------------------------------------------------------------------
Date/Time: Fri, 1 Oct 2010 14:09:05
User ID: Traveler123
User Source IP: 168.0.2.123
Violation on: LinuxBox12
Captured Keystrokes: rlogin
Socket Filtering
Socket Filter Agents (SFAs) are
Privileged Access Manager
components that are used to restrict access either to server-based devices or from server-based devices. Socket filters provide a different kind of access control than devices with finite command sets, such as routers and switches, for which command filtering is applied.
Three components are required:
  • Socket Filter Lists – to define either a socket blacklist (specifying where access is prohibited) or whitelist (specifying where access is allowed)
  • Socket Filter Agents – to apply rules that are specified by Socket Filter Lists and used in Policies.
  • Socket Filter Configuration – to apply agent behavior across all
    Privileged Access Manager
    -managed devices using socket filter agents.
Socket Filter Lists (SFLs)
Socket Filter Lists define groups of servers or networks that can be applied to a policy for LeapFrog Prevention.
Socket Filter Agents (SFAs)
Once a Socket Filter Agent is deployed and a user connects through
Privileged Access Manager
to the host Device, the SFA downloads the user policy. The SFA then enforces at the Device any blacklist or whitelist filters. A blacklist contains devices and ports that user is prevented from accessing. A whitelist identifies the only devices and ports that a user can connect to. The SFA does not inspect or disturb any other connections to that Device, such as production web traffic or
Privileged Access Manager
users who are not restricted.
SFAs can be installed on Windows and Linux devices. The Linux root account is exempt from SFA rules and restrictions. Windows administrator accounts are subject to SFA rules and restrictions.
Socket Filter Configuration (SFC)
Global values that affect the behavior of the socket filter agents are found under Socket Filter Configuration, accessible through the Policies menu.
CA Technologies
advises verifying your organization policies before setting up socket filtering. Network heartbeat checks might not be allowed.
Amazon Web Services (AWS)
When connection is made to AWS after populating the Config, 3rd Party, AWS settings, the
Policy
,
Manage Policies
,
AWS Policies
link interface is established for specifying AWS IAM Policy.
Defining AWS Policies
AWS policy is applied for AWS privileges when accessing the AWS management interface. Initially, the editing window
Manage AWS Policies
holds two default versions, but you can edit or create an IAM policy. 
Although
Privileged Access Manager
is designed to pass an IAM Policy to AWS, AWS does not accept an
AWS Policy
that is "too lengthy." The length limit is not a predictable value, but can be evaluated by AWS before processing to avoid errors. Therefore,
Privileged Access Manager
sends all submitted policies to AWS for preprocessing. If the size limit is exceeded, an error message is relayed to the
Privileged Access Manager
user.
Workaround:
Some guidance on permitted length is provided in this AWS Forum thread:
https://forums.aws.amazon.com/thread.jspa?threadID=80882
Specifying AWS Policies
When a Service has been configured for access to the AWS management interface, the credential specification pop-up window in the Manage Policy interface also provides for the IAM policy specification through the
AWS Policy
field at the right-hand side of the pop-up window. 
Session Recording
In addition to the access controls that are applied in advance, session recording can be assigned to policy, providing a view of User actions after the fact. As recordings, they simulate the environment of the User to provide a view into what transpired during a connection session.
Privileged administrators also apply control during sessions with the ability to terminate a connection session or log a User off
Privileged Access Manager
, while
Privileged Access Manager
logging is another during, or post, session tracking resource.
In the command-line applets, TELNET, SSH, and Console user keystrokes can be recorded. Graphical session recording is available with the RDP and VNC applets.
Recordings are identified in the GUI as line items. They can be searched with variable text filtering. When a recording identifies a User violation, this fact is marked inside the recording as the User views it. The line item record is also highlighted in bold red.
The session recording logs are not stored on
Privileged Access Manager
. The session recording files can be stored on mount points or sent to a syslog consolidation server.
Use a directory mounted to a Windows or UNIX server for session recordings to be available through the administration interface. The session recordings can be viewed in
Sessions
,
Session Recordings
.
Session Recording policy is set for a user/user group – device / device group pair in
Policies, Manage Policies
.
In the
Recording
pane:
  • Selecting
    Command Line
    records user entry, and if
    Bidirectional
    is selected,
    Privileged Access Manager
    records both the user and device responses.
  • Selecting
    Graphical
    records the user GUI interaction with the Windows server as a movie that can be played, stopped at any point, and replayed from any point.