Policy Model Service (sepmdd)

Valid on Windows
capamsc141
Valid on Windows
PAM Server Control
Policy Model Service (sepmdd) is the PMDB service. This service performs the following functions:
  • Administers the 
    PAM Server Control
    and Windows databases of the Policy Model
  • Administers the subscribers database
  • Propagates changes from the PMDB to the subscriber databases
SeOSAgent starts the sepmdd service. There is no need to run sepmdd explicitly. The two possible states for each Policy Model are Started and Stopped.
The PMDBs are stored in a common directory. The registry value _pmd_directory_ in the subkey HKLM\Software\ComputerAssociates\AccessControl\Pmd specifies the name of the common directory. Each Policy Model resides in a subdirectory of the common directory. The name of the Policy Model is the name of the subdirectory in which it resides.
When sepmdd starts, it checks whether any subscriber databases need to be updated. If necessary, it updates them. After this startup process, the sepmdd service waits for user requests. User requests are sent by the Policy Model management utility sepmd and by selang using the 
PAM Server Control
Agent.
When a request is received, sepmdd applies it to the PMDB and sends the result back to the user. If the request should be propagated, sepmdd propagates the update to its subscriber databases.
The sepmdd service tries to update a subscriber database for 30 seconds. If this elapses and the service does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list. After it completes its first scan of the subscriber list, sepmdd then performs a second scan, in which it tries to update the subscribers that it did not succeed in updating during its first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).
If a subscriber is unavailable during the second scan, sepmdd attempts to send it updates every 30 minutes.
Because the updates must be sent in the order in which they are received, sepmdd does not send subsequent updates to the subscriber database until it becomes available.
Each time sepmdd fails to update a subscriber database, a warning message is written in the Policy Model error log.
Filter Mechanism
You may want your PMDB to update the subscriber stations below it selectively. To define which records to be sent to the subscriber stations, set the registry key string value to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
Here is an example:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd\PolicyModelName\Filter
A filter file consists of lines with six fields per line. The fields contain this information:
  • The form of access permitted or prohibited
    Valid values are: AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.
  • The environment affected
    Valid values are: AC, CONFIG, UNIX, NT, or NATIVE.
  • The class of the record
    Valid values include all classes in
    PAM Server Control
    , including user-defined classes.
  • The objects within the class that the rule covers
    For example: User1, AuditGroup, or COM2.
  • The properties that the record grants or cancels
    For example, including GROUPS and FULLNAME in the filter line for user records means that any command having those user properties is filtered. You must enter each property exactly as it appears.
  • Whether such records should be forwarded to the subscriber station
    Valid values are: PASS, NOPASS
You can use an asterisk to mean all possible values in any field. If more than one line covers the same records, the first applicable line is used.
In each line of the filter file, spaces separate the fields. In fields with more than one value, separate the values with semicolons. Any line beginning with # is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:
CREATE
AC
USER
*
FULLNAME;OBJ_TYPE
NOPASS
form ofaccess
environment
class
record name ( * =all)
properties
treatment
If, for example, the file with this line is named Printer1_Filter.flt and the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd\PM-\Filter contains the line C:\Program Files\CA\PAMSC\data\Printer1_Filter.flt, then Policy Model PM-1 does not send records that create 
PAM Server Control
users with the FULLNAME and OBJ_TYPE (admin, auditor, and so on). The asterisk means regardless of name.
The selang commands that are relevant for each access value are:
Access
selang Command
AUTHORIZE_DELETE
authorize-
AUTHORIZE_MODIFY
authorize
CREATE
newres, newusr, newgrp, newfile
DELETE
rmres, rmusr, rmgrp, rmfile, join- (UNIX)
DEPLOY
deploy
EDIT
editres, editusr, editgrp, editfile
FILESCAN
search
GET
get devcalc
JOIN_DELETE
join-
JOIN_MODIFY
join
MODIFY
chres, chusr, chgrp, chfile, join (UNIX)
READ
list
START
start devcalc
UNDEPLOY
deploy- (undeploy)
PAM Server Control
does not validate rules; therefore, if you enter an invalid value in a rule, the rule will never match an update transaction.
Registry Subkeys
Each PMDB has its own registry subkey under:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\Pmd
This subkey contains the values that define and determine the activity of the PMDB. The sepmdd utility creates a subkey, if it does not already exist, with the minimum number of entries needed.
  • Notes
    • When you use selang and choose a Policy Model as your target (using hosts pmd@hostname), queries to sepmdd apply to the PMDB but not to the various subscribers' databases.
    • Ensure that a PMDB does not become a subscriber of itself. If a PMDB is subscribed to itself, the Policy Model may block or the network may become overloaded, filling the disk in the process.
    • You cannot specify more than one user with the newusr command when you are working in the UNIX environment using selang to update a Policy Model.
    • You cannot specify more than one group in the newgrp command when you are working in the UNIX environment using selang to update a Policy Model.
    • When updating UNIX file attributes from selang, the Policy Model generates a message stating that the command has been passed to its subscribers.
    • When working on a Policy Model, you cannot query the status of Windows file attributes.
    • The sepmdd service remains active indefinitely until deactivated with the -k options.