Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  CA-PAMSC - Add host to host group by criteria="nodename"

    Posted May 07, 2019 12:01 PM

    Hi;

    I´ll like to know if there is a way to add dinamycally a host to a host group, but not by IP criteria, that its already setup.

    We need to include automatically when agent reaches ENTM console, automatically is associated to a host group depending on the name of the endpoint

     

     

    Thanks in advance



  • 2.  Re: CA-PAMSC - Add host to host group by criteria="nodename"
    Best Answer

    Broadcom Employee
    Posted May 08, 2019 04:17 AM

    Hello Carlos,

     

    Yes, this is possible.

    I suggest to review Hosts and Host Groups which explains the full concept of Host Groups in ENTM.

    Also see GHNODE Class and Advanced Policy Management Classes for further details around the GHNODE class in selang.

     

    See also this article Host Group Pattern Syntax which is providing a specific example how to manipulate a GHNODE group and explains what determines the criteria to be used.

     

     

    To specify additional criteria that CA Access Control Enterprise Management can use to automatically assign hosts to host groups:

     

      1. Open a cmd window in the Enterprise Manager Server
      2. selang
      3. host DMS__@

     

    Create/Edit the host group and specify the assignment criteria ‘COMMENT', using the following selang commands:

     

    editres GHNODE host_group_name criteria(COMMENT=*own*)

     

     

    To then allow the relevant host to be automatically added to this host group edit the HNODE record on that box in selang

     

    er HNODE __local__ comment('my own description')

     

    Wait or Restart the policyfetcher process on the box to send a new heartbeat with the new comment attribute' value and find the box being added to the GHNODE host_group_name

     

    Best Regards,

    Andreas



  • 3.  Re: CA-PAMSC - Add host to host group by criteria="nodename"

    Posted May 10, 2019 03:23 AM

    Hi Andreas, thanks for your solution.

     

    I still have a question. From your explananation i can conclude that i need to manually edit each hnode that its in ENTM server already, to add that new field "comment" and automatically it will be added to the ghnode that suits this criteria.

     

    But my question was if one of the criteria already build in this software can the name of the hnode

     

    Thanks in advance.



  • 4.  Re: CA-PAMSC - Add host to host group by criteria="nodename"

    Broadcom Employee
    Posted May 10, 2019 09:33 AM

    Hello Carlos,

     

    You would utilise the COMMENT field only if the other existing automatically populated attributes like HNODE_INFO, HNODE_IP, HNODE_VERSION, NODE_TYPE do not meet your needs.

     

    (From your initial description I was under the impression this was the case.)

     

    You can populate the COMMENT field as mentioned directly on the endpoint or in the DMS itself (e.g. by using the ENTM UI / Host / Description - but then it might get overwritten the next time a heartbeat comes in from the Endpoint which might have a different value for the comment attribute)

     

    Best Regards,

    Andreas



  • 5.  Re: CA-PAMSC - Add host to host group by criteria="nodename"

    Posted May 11, 2019 12:33 PM

    Thanks again for your explanation

    You gave me the solution i was finding