Set Up a Policy

Describes how to configure a policy to a user-device pair to define user access to the device.
As an administrator, configure a policy to a user-device pair to define user access to the device.
Assign a policy using one of the following methods:
A policy can also be applied based on inheritance from a parent group.
A user
effective policy
spans these categories, as the union of all policy assignments. It reflects the range of device and access options available to a user as represented on the
page. As an administrator, you can view a user effective policy in
Manage Users
Manage Policy
also dynamically adds devices and target accounts to the
page of a user if those devices and target accounts are members a of a Credential Manager target group that is referenced by a Credential Manager user group to which the user belongs. For more information, see Dynamic Addition of Devices to the Access Page Based on Credential Manager Target Group Membership.
The configuration of a device provides a template for choosing access methods are allowed for a particular user. The scope of this template has previously been defined by the attributes that are assigned in the device record.
A unique
can exist between every match of each of the first (users and user groups) with each of the second (devices and device groups). For example, if there are three users and three devices, after matching each user with each device, there could be up to nine different policies. For information about overlapping policies, see Overlapping Policies on Provision Access Policies.
For information about Credential Manager password policies, see Set Up Password Composition and View Policies.
  • Session recording activation requires that storage is configured in advance on the
    Logs, Session Recording
  • The components of the policy first so that they are available to include in a policy.Define users, devices, access types, services, and filters.
Policy Template
Create an association with a user and device using the policy template. To import policies using a CSV file, see Import or Export Policies.
These procedures begin from the Policy menu. However, for some user records, you can edit a policy template from the user record by selecting
Manage Policy
Follow these steps:
  1. Select
    Manage Policies
  2. Complete
    of the following actions:
    • Create a new policy by clicking
    • Select an existing policy record and click
      . If the policy record is not listed, find it by selecting the User/User Group or Device/Device group search criteria at the top of the screen.
  3. If you are adding a new policy, use the fields in the
    section to locate the user or device that you want to associate in a policy.
  4. For the
    User Group
    field, use the search icon to display the list of choices, and select the matching full name from the drop-down list. Select
  5. For the
    Device Group
    field, use the search icon to display the list of choices, and select the matching full name from the drop-down list. Select
    . If you select a device group, only those access methods that are specified for the group are displayed.
  6. On the
    tab, select one or more entries from the list and move it to the Selected Access list.
  7. On the
    tab, select one or more services available for a provisioned device.
  8. On the
    tab, set SAML options as appropriate. (SAML must already be configured for anything to show here.)
  9. On the
    tab, select the passwords the user or user group can manage. Then, select from the available device or device group defined target applications. When you select a target application, you can also select one or more provisioned target accounts for that application that the user can manage.For AWS AMI instance on UNIX and Linux devices, only EC2 keys auto-populate as options.
  10. If Socket Filter Agents are installed in the environment, select the available command and socket filters to assign to the black and white lists on the
    tab. The filters listed are those set up in the
    option of the UI. Select the
    Restrict login if agent is not running
    check box.
    • If the product cannot detect a running SFA on the device and an SFA-monitored connection is attempted, the login is rejected. Unmonitored connection instances are never rejected by selecting this option.
    • SFAs monitor the following connections: Access Method GUI, CLI, and mainframe applets; and RDP, VNC, and ICA Services.
    • SFAs do not monitor: standard (customized) Services and Web Portal Services.
  11. If session recording capability is configured, specify the types of recording to make using the options on the
    tab. Set one or more of the following available options (availability depends on the selected access methods on the
    • Graphical
      (available for RDP and VNC access methods): Record user activity graphically.
    • Command Line
      (available for TELNET, SSH, and Console access methods): Record user activity on the target device as plain text.
      • Bidirectional
        (applicable for command line recordings only): Record command line output from the operating system or application and input that the user types. Bidirectional recording is required for SSH Proxy applets. All mainframe-access applets apply bidirectional session recording when you enable recording.
    • Web Portal
      (available for VNC access method only): Record user activity on the web portal graphically.
    • On Violation
      (only valid if no other recording options are set): Start recording only when a user causes a violation against a Command Filter or Socket Filter during a session. The recording continues until the user ends the connection session.
    To view session recordings when accessed through a Juniper SA appliance, configure a policy for allowing custom headers. See Junos configuration that is required for viewing session recordings.
  12. Select
    Login Integration
    on the
    PAM Server Control
    tab if you are integrating with PAM Server Control. See
    Privileged Access Manager
    Server Control Login Integration
    for more information.
  13. Select a
    on the
    Transparent Login
    tab if you are using Transparent Login. See Device Setup, Transparent Login for more information.
  14. Click
    . You return to the Policies list.The activated device or password access is now available for execution from the Access page of the user.
Junos Configuration Required for Viewing Session Recordings
To view session recordings when
Privileged Access Manager
is accessed through a Juniper SA appliance, configure a policy for allowing custom headers.
Follow these steps:
  1. Navigate to Resource Policies, Web, Custom Headers.
  2. Create a policy.
  3. Specify the IP address of the web portal resource that this policy applies to, with protocol specification, for example:
  4. Select the allow custom headers action.
More information