Filter Mechanism

You may want your PMDB to selectively update the subscriber stations below it. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
cminder12902
You may want your PMDB to selectively update the subscriber stations below it. To define which records are sent to the subscriber stations, point the filter token in the pmd.ini file to a filter file. Updates to the subscriber stations are then limited to the records that pass the filter file.
A filter file consists of lines with six fields per line. The fields contain the following information:
  • The form of access permitted or prohibited. The possible values are AUTHORIZE_DELETE, AUTHORIZE_MODIFY, CREATE, DELETE, DEPLOY, EDIT, FILESCAN, GET, SEOS_ACCS_READ, JOIN_DELETE, JOIN_MODIFY, MODIFY, READ, START, or UNDEPLOY.
  • The environment affected. The possible values are AC, CONFIG, UNIX, NT, or NATIVE
  • The class of the record. The possible values include all classes in CA ControlMinder, including user-defined classes.
  • The objects within the class that the rule covers. For example, User1, AuditGroup, or TTY1
  • The properties that the record grants or cancels. For example, OWNER and FULL_NAME in the filter line for user records means that any command having those user properties are filtered. You must enter each property exactly.
  • Whether such records should be forwarded to the subscriber station or not.The possible values are PASS or NOPASS
You can use an asterisk in any field to mean all possible values. If more than one line covers the same records, the first applicable line is used.
In each line of the filter file, spaces separate the fields. In fields with more than one value, semicolons separate the values. Any line beginning with # is considered a comment line. Empty lines are not allowed. Here is an example of a line from a filter file:
CREATE
AC
USER
*
FULL-NAME;OBJ_TYPE
NOPASS
form of
access
environment
class
record name
( * =all)
properties
treatment
For example, suppose the file with this line is named TTY1_FILTER, and the pmd.ini file of the Policy Model TTY1 contains the line filter=/opt/CA/AccessControl/TTY1_FILTER. The Policy Model TTY1 does not send records that create new CA ControlMinder users with the FULL_NAME and OBJ_TYPE (Admin, auditor, and so on). The asterisk means regardless of name.
The following are the selang commands that are relevant for each access value:
Access
selang Command
AUTHORIZE_DELETE
authorize-
AUTHORIZE_MODIFY
authorize
CREATE
newres, newusr, newgrp, newfile
DELETE
rmres, rmusr, rmgrp, rmfile, join- (UNIX)
DEPLOY
deploy
EDIT
editres, editusr, editgrp, editfile
FILESCAN
search
GET
get devcalc
JOIN_DELETE
join-
JOIN_MODIFY
join
MODIFY
chres, chusr, chgrp, chfile, join (UNIX)
READ
list
START
start devcalc
UNDEPLOY
deploy- (undeploy)
CA ControlMinder does not validate rules; therefore, if you enter an invalid value in a rule, the rule never matches an update transaction.