Filter Mechanism
You may want your PMDB to selectively update the subscriber stations below it. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
cminder12801
You may want your PMDB to selectively update the subscriber stations below it. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
A filter file consists of lines with six fields per line. The fields contain the following information:
- The form of access permitted or prohibited. The possible values are AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.
- The environment affected. The possible values are AC, CONFIG, UNIX, NT, or NATIVE
- The class of the record. The possible values include all classes in CA ControlMinder, including user-defined classes.
- The objects within the class that the rule covers. For example, User1, AuditGroup, or TTY1
- The properties that the record grants or cancels. For example, OWNER and FULL_NAME in the filter line for user records means that any command having those user properties are filtered. You must enter each property exactly.
- Whether such records should be forwarded to the subscriber station or not.The possible values are PASS or NOPASS
You can use an asterisk in any field to mean all possible values. If more than one line covers the same records, the first applicable line is used.
In each line of the filter file, spaces separate the fields. In fields with more than one value, semicolons separate the values. Any line beginning with # is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:
CREATE | AC | USER | * | FULL-NAME;OBJ_TYPE | NOPASS |
form of
access
| environment
| class
| record name
( * =all)
| properties
| treatment
|
For example, suppose the file with this line is named TTY1_FILTER, and the pmd.ini file of the Policy Model TTY1 contains the line filter=/opt/CA/AccessControl/TTY1_FILTER. The Policy Model TTY1 does not send records that create new CA ControlMinder users with the FULL_NAME and OBJ_TYPE (Admin, auditor, and so on). The asterisk means regardless of name.
The following are the selang commands that are relevant for each access value:
Access | selang Command |
AUTHORIZE_DELETE | authorize- |
AUTHORIZE_MODIFY | authorize |
CREATE | newres, newusr, newgrp, newfile |
DELETE | rmres, rmusr, rmgrp, rmfile, join- (UNIX) |
DEPLOY | deploy |
EDIT | editres, editusr, editgrp, editfile |
FILESCAN | search |
GET | get devcalc |
JOIN_DELETE | join- |
JOIN_MODIFY | join |
MODIFY | chres, chusr, chgrp, chfile, join (UNIX) |
READ | list |
START | start devcalc |
UNDEPLOY | deploy- (undeploy) |
CA ControlMinder does not validate rules; therefore, if you enter an invalid value in a rule, the rule never matches an update transaction.