Symantec Privileged Access Management

 View Only
  • 1.  Variables in PIM

    Posted Aug 09, 2016 08:09 AM


    we are running CA PIM 12.9 sp1 , ENTM on Linux and managing many endpoints (AIX, Solaris, Windows)

    we are trying to use the CA examples for protecting OS from the path (/opt/CA/AccessControlServer/APMS/AccessControl/samples/Policies/OS)

    I trying to modify the _win2003_deploy.txt to our environment, adding the systems users and all that (I will attached the file I have modified)

    but the problem is that when I try to apply it on test server (either from the endpoint management - configuration and upload the file ,  or register it as policy and apply it from the ENTM )

    I receive errors regarding the defined variables , I will attached the error log .

    I don't know the errors ,, is nearly used the CA sample without modification (expect adding the users in the AC role group )

    ex: of error

    ERROR: <!POLICY_AUDIT_MODE> is an invalid audit value for resources

    although eh POLICY_AUDIT_MODE  is defined !!


    UPDATE: the creation of the ACVAR variables done successfully as I run  ( sr ACVAR *) on the test machine and it list all build it and custom variables ,, but the system cannot translate or look after the variables when it is like ("!<POLICY_AUDIT_MODE>") for example.


    can you help me ,, we need that in this project fast


    best regards


  • 2.  Re: Variables in PIM

    Broadcom Employee
    Posted Aug 09, 2016 12:16 PM



    Currently windows 2003 is not supported as endpoint.


    CA Privileged Identity Manager Endpoint Compatibility Matrix - CA Technologies


    Did you try this on window 2008 server or above?


    Please let us know if you are facing the same issue with windows 2008 or 2012.



    Mohammed Mustansir

  • 3.  Re: Variables in PIM

    Posted Aug 10, 2016 04:09 AM


    missed declairing that detail, my environment are windows servers are win 2008 R@ and windows 2012 R2 ,, no windows 2003 at all,, but CA example file have that name only, you can check the example files in any installation.

    also i have same issue with linux/Aix/Solaris boxes , each having their own policy files , but all having same issue with variables.


    best regards

  • 4.  Re: Variables in PIM

    Broadcom Employee
    Posted Aug 17, 2016 06:38 AM


    I have tried to run the following command in my environment.


    editres ACVAR ("POLICYAUDITMODE") value("FAILURE")

    editres ACVAR ("POLICYDEFACCESS")    value("ALL")

    editres FILE ("C:\test.txt") audit(<!POLICYAUDITMODE>) owner(nobody) defaccess(<!POLICYDEFACCESS>) warning  comment("AC Sample")

    <!POLICY_AUDIT_MODE> is an invalid audit value for resources


    AaronArmagost mulan04 , Can you please confirm whether this is a bug or Am I doing something wrong?



    Mohammed Mustansir

  • 5.  Re: Variables in PIM

    Posted Aug 18, 2016 04:17 PM

    Are you sourcing the policy from an interactive selang session?  If so, references to variables do not work in that case.  The variables can be created, but referencing the variable from another command, like editing a FILE object, does not work.


    Variables can only be used in policies managed by Advanced Policy Management (APM).  You can create the ACVAR objects in an interactive selang session, and those variables can be referenced by a policy managed by APM.  You can also create the ACVAR objects within the policy managed by APM, as in the example I attached.


    I successfully created a policy from the selang rules you noted through APM.


    The following screenshot shows how the policy is defined in APM.  It also shows that 12.9 SP1 was used.

    simple policy with variables.png


    The following screenshot shows confirmation from submitting the policy.  NOTE:  The confirmation notes "No operation was required."  This is because I had successfully finalized the policy on a previous modification.

    Modify Policy Confirmation.png


    Best regards,



  • 6.  Re: Variables in PIM

    Posted Aug 21, 2016 11:37 AM

    I got the idea ,,, but when i try to deploy the standard policy (win2003_deploy.txt ) as i attached it ,, i receive the following warning ,,, and when i try to log into the endpoint interface and search for the containers created or the monitored programs etc. nothing appears at all , as it the policy stopped after the 3 warningspolicy.jpg


    any idea what is my mistake here ?!!



  • 7.  Re: Variables in PIM
    Best Answer

    Broadcom Employee
    Posted Aug 25, 2016 05:02 AM

    Hello Abdel,

    Let's look at this in a step by step process.

    - Share the screenshot where you have defined the ACVAR's as was displayed by Warren.

    - Next the output of "sr ACVAR *"

    - After this try to deploy the policy containing the ACVAR


    If we are not able to help resolve your problem in communities, we would request you to open a support ticket as this might need more time to investigate and work in a lab environment.