Filter Mechanism

You may want your PMDB to update the subscriber stations below it selectively. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
capamsc141
You may want your PMDB to update the subscriber stations below it selectively. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
A filter file consists of lines with six fields per line. The fields contain the following information:
  • The form of access that is permitted or prohibited. The possible values are AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.
  • The environment that is affected. The possible values are AC, CONFIG, UNIX, NT, or NATIVE
  • The class of the record. The possible values include all classes in
    Privileged Access Manager
    , including user-defined classes.
  • The objects within the class that the rule covers. For example, User1, AuditGroup, or TTY1
  • The properties that the record grants or cancels. For example, OWNER and FULL_NAME in the filter line for user records means that any command having those user properties are filtered. You must enter each property exactly.
  • Whether such records should be forwarded to the subscriber station or not. The possible values are PASS or NOPASS
You can use an asterisk in any field to mean all possible values. If more than one line covers the same records, the first applicable line is used.
In each line of the filter file, spaces separate the fields. In fields with more than one value, semicolons separate the values. Any line beginning with # is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:
CREATE
AC
USER
*
FULL-NAME;OBJ_TYPE
NOPASS
form of
access
environment
class
record name
( * =all)
properties
treatment
For example, suppose that the file with this line is named TTY1_FILTER, and the pmd.ini file of the Policy Model TTY1 contains the line filter=/opt/CA/PAMSC/TTY1_FILTER. The Policy Model TTY1 does not send records that create 
Privileged Access Manager
users with the FULL_NAME and OBJ_TYPE (Admin, auditor, and so on). The asterisk means regardless of name.
The following list shows the selang commands that are relevant for each access value:
Access
selang Command
AUTHORIZE_DELETE
authorize-
AUTHORIZE_MODIFY
authorize
CREATE
newres, newusr, newgrp, newfile
DELETE
rmres, rmusr, rmgrp, rmfile, join- (UNIX)
DEPLOY
deploy
EDIT
editres, editusr, editgrp, editfile
FILESCAN
search
GET
get devcalc
JOIN_DELETE
join-
JOIN_MODIFY
join
MODIFY
chres, chusr, chgrp, chfile, join (UNIX)
READ
list
START
start devcalc
UNDEPLOY
deploy- (undeploy)
Privileged Access Manager
does not validate rules. If you enter an invalid value in a rule, the rule never matches an update transaction.