Filter policy and action tables
Disclosure filter logic is stored within two external data store (extdb) tables; pam_disclosure_filter_policy and pam_disclosure_filter_action. The action table stores each type of disclosure method installed and the plugin that they activate. The policy table is where rules determine which disclosure methods are available to a user when they request a password. These disclosure methods can be restricted based on the platform type of the managed account, the recipient’s user class or group membership or on a variety of other attributes.
Disclosure Filter Policy and Action Tables
The policy and action tables are in a linked design and rely on each other to deliver disclosure options to requesters. The disclosure filter policy table is used to provide access to disclosure options, whereas the associated disclosure filter action table is used to set specific attributes of the disclosure options (timeouts and so on)
Bravura Privilege executes all actions that reference (via a foreign key) a policy that passes. This design allows a user to configure a single policy that activates one or more disclosure plugins.
Not all columns in a policy or action table rule have to be populated, only the ones the rule purpose requires. If multiple columns are populated for the rule, the condition is an AND, whereby all conditions of the rule must be true for the rule to trigger its action. If OR logic is needed, add separate rules for each condition requirement.
Like all policy tables, the last policy that passes wins. If you have conflicting actions, the last one overwrites any previous conflicting actions.
Policy Engine terminology:
Wildcard Field
A text field that supports wildcard matching uses Unix filename pattern matching . The field tests if the variable and field match. The following operations can be used:
* - Match everything
? - Match a single character
[seq] - Matches any character in seq
[!seq] - Matches any character not in seq
Expression Field
An expression that will determine the value of the field when Bravura Privilege evaluates the field. The Mako templating language is used and all data is stored in the obj_data variable.
These expressions are commonly used for building group names, for example, “application_${obj_data.account.acctid}_view”.
Disclosure Filter Policy Table
Note
Each table in the external data store (extdb) has configuration options that only product administrators with all administrative privileges (superuser) can modify. Superusers can access the configuration options by clicking on the plus (+) symbol located below the table. See External data store Table configuration options for details.
The following table outlines the supported options and usage of the fields in the pam_disclosure_filter_policy extdb table.
Field | Supports | Description | |
|---|---|---|---|
StageNumber | Integer | The grouping stage number used to determine the ordering of sets of rules. | required, not NULL |
RuleNumber | Integer | The rule number used to determine the evaluation order of rules within a stage. | required, not NULL |
SkipRemaining | Combo Box | Use this column to skip evaluation of some of the remaining rules. One of:
| optional |
Comment | Text | Rule description. | optional |
FilterID | Text | The ID for the filter that is used by the action table. | required, not NULL |
Operation | Text, Expression | Operation of request, or an expression to evaluate. | optional |
PlatformType | Text, Wildcard, Expression | The platform type of the target. For example, Windows Server, Linux, Oracle. | optional |
MSPID | Text, Wildcard, Expression | The managed system policy ID that the requested privileged access is managed under. . To future-proof policies avoid using this column. | optional |
ClientIPCIDR | Text, Expression | The CIDR mask to test against the user’s IP address. | optional |
AccountID | Text, Wildcard, Expression | The account ID. Only usable for account checkouts. | optional |
AccountTargetID | Text, Wildcard, Expression | The Target ID associated with the account. Only usable for account checkouts. | optional |
RecipientUserclass | Text, Expression | Single-participant user class to evaluate for recipient membership. | optional |
RequesterUserclass | Text, Expression | Single-participant user class to evaluate for requester membership. Note: The recipient generally is tested for disclosure filter policies, not the requester. | optional |
GroupFQNrecipientMembershipTargetID | Text, Expression | The Target ID of the managed account group defined in GroupFQNrecipientMembership. | optional |
GroupFQNrecipientMembership | Text, Expression | The Group ID to which the recipient belongs. Requires GroupFQNrecipientMembershipTargetID to be defined. Group short ids are also accepted. | optional |
GroupFQNrequesterMembershipTargetID | Text, Expression | The Target ID associated with the managed group defined in GroupFQNrequesterMembership. | optional |
GroupFQNrequesterMembership | Text, Expression | The group ID of the requester. Requires GroupFQNrequesterMembershipTargetID to be defined. Only usable for account checkouts. To future-proof policies avoid using this column | optional |
RequestAttributeBoolTrue | Text, Expression | The Profile or Request Attribute ID which should have its truth value evaluated. If defined, this will match if the attribute is set to True. If the attribute is False or undefined, the rule will not apply. | optional |
RequestAttributeBoolFalse | Text, Expression | The Profile or Request Attribute ID which should have its truth value evaluated. If defined, this will match if the attribute is set to False. If the attribute is True or undefined, the rule will not apply. | optional |
AttributeType | Combo Box | Defines what the attribute defined by AttributeID is associated with. One of:
| optional |
AttributeID | Text, Expression | The Attribute ID. Requires Attribute Type to be defined. | optional |
AttributeValue | Text, Wildcard, Expression | The value of attribute defined in AttributeID. Requires AttributeType and AttributeID to be defined. | optional |
UTCStartTime | Text, Expression | The start time that a rule should be applied. Requires UTCFinishedTime to be defined. | optional |
UTCFinishedTime | Text, Expression | The end time that a rule should be applied. Requires UTCStartTime to be defined. | optional |
The ComponentOwnerFQN field, included in all external data store tables, shows the name of the component providing specific rows to a table.
Disclosure Filter Action Table
Note
Each table in the external data store (extdb) has configuration options that only product administrators with all administrative privileges (superuser) can modify. Superusers can access the configuration options by clicking on the plus (+) symbol located below the table. See External data store Table configuration options for details.
The following table outlines the supported options and usage of the fields in the pam_disclosure_filter_action extdb table.
Field | Supports | Description | Input |
ActionID | Text | Unique number used to determine the evaluation order of actions. | required, not NULL |
FilterID | Foreign Key | The corresponding disclosure filter policy FilterID to link this action to. | required, not NULL |
DisclosureID | Text, Expression | The GUID for the access disclosure plugin that corresponds to the one this action uses. The list can be found under Manage the system > Privileged access > Access disclosure plugins. | required, not NULL |
AttributeName | Text, Expression | The disclosure plugin attribute name. | optional |
AttributeValue | Text, Expression | The attribute value to set the disclosure plugin attribute specified in AttributeName. | optional |
AttributeCalculationFunction | Text | The callback function to execute. Callback functions are small scripts used to modify the disclosure attributes directly. (Callback functions may be removed in a future release, use only if necessary) A Python function, contained in a script file, that provides additional plugin attributes and values. The script file must be defined in the <instance>componentCallbacks directory. | optional |
AttributeRequired | Boolean | Set to True to make AttributeName and AttributeValue required. | optional |
NewDescription | Text | Override for the disclosure description. | optional |
Comment | Text | Rule description. | optional |
The ComponentOwnerFQN field, included in all external data store tables, shows the name of the component providing specific rows to a table.
Disclosure Filter Policy Examples
Restricting display of passwords to Windows platforms only and limiting disclosure
Click below to view a demonstration where disclosure filter rules are altered so display of passwords is restricted to Windows platforms only, with a time limit of 5 minutes. A Windows and Linux account are then checked out to demonstrate that only the Windows account can display passwords, and it remains visible for only the configured time.
Adding a new disclosure to a checkout
This is an example of adding the Remote Desktop disclosure plugin to a checkout for a user accessing a Windows server. This example assumes that the default Remote Desktop disclosure plugin has not been changed.
Policy Table:
Field | Value | Notes |
|---|---|---|
StageNumber | 1 | This number will depend on the rest of your policy rules and stages. |
RuleNumber | 1 | This number will depend on the rest of your policy rules. |
SkipRemaining | [No selection] | This can be switched to Stage if you want this to be the last rule that processes. |
Comment | Check to see if the user is requesting access to an account on a Windows server. | |
FilterID | WINDOWS_SERVER | |
PlatformType | WINNT | WINNT is the windows platform ID. |
Action Table:
Field | Value | Notes |
|---|---|---|
Action ID | WINDOWS_RDP | |
FilterID | WINDOWS_SERVER | This will link to the policy that will trigger this action. |
DisclosureID | !!!PSW_PLUGIN_TSVC_DESC | |
Comment | Add the Remote Desktop disclosure plugin |
Setting up AD disclosure based on group membership
This is an example of adding multiple disclosure plugins based on the user’s group membership. This example assumes that you have managed the Active Directory security group “security_appliance_admins” and run Auto discovery. This example also assumes you have configured new disclosure plugins in Bravura Privilege for Cisco Iron Port and Blue Coat.
This example is going to look at the platform the account exists on, and the security group. Once it confirms that the account being accessed exists on an Active Directory domain and a security group, it will add both Cisco Iron Port and Blue Coat to the list of disclosure controls available to the user.
Generally, this type of policy would be paired with a generic Active Directory policy that would add a disclosure control(s) that all users have access to, such as Remote Desktop.
Policy Table:
Field | Value | Notes |
|---|---|---|
StageNumber | 1 | This number will depend on the rest of your policy rules and stages. |
RuleNumber | 2 | This number will depend on the rest of your policy rules. |
SkipRemaining | [No selection] | This can be switched to Stage if you want this to be the last rule that processes. |
Comment | Check to see if the user is requesting access to an account on Active Directory, and if they are a member of the security group | |
FilterID | AD_SECURITY_TEAM | |
PlatformType | AD | AD is the platform ID for Active Directory. |
GroupFQNrecipientMembershipTargetID | AD_TARGETID | The Active Directory target where the group exists. |
GroupFQNrecipientMembership | security_appliance_admins | The short id of the group we want to test membership of |
Action Ironport Policy:
Field | Value | Notes |
|---|---|---|
ActionID | AD_IRONPORT | |
FilterID | AD_SECURITY_TEAM | This will link to the policy that will trigger this action |
DisclosureID | Iron Port Web GUI | This needs to match exactly what you entered in the description when creating the Iron Port browser disclosure plugin in Bravura Privilege. |
Comment | Add the Cisco Iron Port web portal disclosure plugin |
Action Bluecoat Policy:
Field | Value | Notes |
|---|---|---|
ActionID | AD_BLUECOAT | |
FilterID | AD_SECURITY_TEAM | This will link to the policy that will trigger this action |
DisclosureID | Blue Coat Web GUI | This needs to match exactly what you entered in the description when creating the Blue Coat browser disclosure plugin in Bravura Privilege. |
Comment | Add the Blue Coat web portal disclosure plugin |