Symantec Privileged Access Management

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------

Hi Jorghy,
No. There is only one set of privileges, one set of device access, one set of command filter policies for a user. When the user logs in, information from all policies that apply to the user will be combined. Command filters are tied to access policies, not to target accounts, and therefore the same no matter which account you pick. Just the fact that you have a single entry per device on the access page should make that clear.
Original Message:
Sent: 10-03-2019 11:36 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

CA PAM v3.2.6

Background:

My customer needs PAM to grant access to some users with accounts that have administrator privileges and account that have read-only privileges on Linux servers. Those users can use read-only account anytime they want, but for administrator they need to request access using Workflow Approval. Since i created the policy based on group, those user are put to two different user group, which are Admin and View user group and mapped to same target device. Administrator and read-only accounts have different command filtering applied to them.

Issue:
Since those users belong to two different user groups, two different policy and two different command filtering, logically speaking those users will have different blacklisted command according to which account they login to. The problem is it's not like that in PAM. Even if those user login as administrator, the blacklisted command from read-only account also applied to them. How am i suppose to approach this?

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------

True, PAM also give an error PAM-CMN-1034 when i tried to access device with different command filtering applied. Then, do you have any suggestion how to fulfill my customer demand that each user have two different policy per device with different target account and different command filter, the read-only account for day-2-day use and admin (with approval) for something that need more privileges? My thought is to apply only one common command filter and restrict the rest on OS level.
Original Message:
Sent: 10-10-2019 09:40 AM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Hi Jorghy,
No. There is only one set of privileges, one set of device access, one set of command filter policies for a user. When the user logs in, information from all policies that apply to the user will be combined. Command filters are tied to access policies, not to target accounts, and therefore the same no matter which account you pick. Just the fact that you have a single entry per device on the access page should make that clear.
Original Message:
Sent: 10-03-2019 11:36 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

CA PAM v3.2.6

Background:

My customer needs PAM to grant access to some users with accounts that have administrator privileges and account that have read-only privileges on Linux servers. Those users can use read-only account anytime they want, but for administrator they need to request access using Workflow Approval. Since i created the policy based on group, those user are put to two different user group, which are Admin and View user group and mapped to same target device. Administrator and read-only accounts have different command filtering applied to them.

Issue:
Since those users belong to two different user groups, two different policy and two different command filtering, logically speaking those users will have different blacklisted command according to which account they login to. The problem is it's not like that in PAM. Even if those user login as administrator, the blacklisted command from read-only account also applied to them. How am i suppose to approach this?

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------

Depending on the use cases, and how many users this applies to, it may or may not make sense to create local PAM user entries for affected users, and have them login with the local account to use the accounts with elevated privileges.
Original Message:
Sent: 10-10-2019 10:38 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

True, PAM also give an error PAM-CMN-1034 when i tried to access device with different command filtering applied. Then, do you have any suggestion how to fulfill my customer demand that each user have two different policy per device with different target account and different command filter, the read-only account for day-2-day use and admin (with approval) for something that need more privileges? My thought is to apply only one common command filter and restrict the rest on OS level.
Original Message:
Sent: 10-10-2019 09:40 AM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Hi Jorghy,
No. There is only one set of privileges, one set of device access, one set of command filter policies for a user. When the user logs in, information from all policies that apply to the user will be combined. Command filters are tied to access policies, not to target accounts, and therefore the same no matter which account you pick. Just the fact that you have a single entry per device on the access page should make that clear.
Original Message:
Sent: 10-03-2019 11:36 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

CA PAM v3.2.6

Background:

My customer needs PAM to grant access to some users with accounts that have administrator privileges and account that have read-only privileges on Linux servers. Those users can use read-only account anytime they want, but for administrator they need to request access using Workflow Approval. Since i created the policy based on group, those user are put to two different user group, which are Admin and View user group and mapped to same target device. Administrator and read-only accounts have different command filtering applied to them.

Issue:
Since those users belong to two different user groups, two different policy and two different command filtering, logically speaking those users will have different blacklisted command according to which account they login to. The problem is it's not like that in PAM. Even if those user login as administrator, the blacklisted command from read-only account also applied to them. How am i suppose to approach this?

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------

Is there different treatment for command filtering for local vs LDAP PAM users?
Original Message:
Sent: 10-10-2019 11:06 PM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Depending on the use cases, and how many users this applies to, it may or may not make sense to create local PAM user entries for affected users, and have them login with the local account to use the accounts with elevated privileges.
Original Message:
Sent: 10-10-2019 10:38 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

True, PAM also give an error PAM-CMN-1034 when i tried to access device with different command filtering applied. Then, do you have any suggestion how to fulfill my customer demand that each user have two different policy per device with different target account and different command filter, the read-only account for day-2-day use and admin (with approval) for something that need more privileges? My thought is to apply only one common command filter and restrict the rest on OS level.
Original Message:
Sent: 10-10-2019 09:40 AM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Hi Jorghy,
No. There is only one set of privileges, one set of device access, one set of command filter policies for a user. When the user logs in, information from all policies that apply to the user will be combined. Command filters are tied to access policies, not to target accounts, and therefore the same no matter which account you pick. Just the fact that you have a single entry per device on the access page should make that clear.
Original Message:
Sent: 10-03-2019 11:36 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

CA PAM v3.2.6

Background:

My customer needs PAM to grant access to some users with accounts that have administrator privileges and account that have read-only privileges on Linux servers. Those users can use read-only account anytime they want, but for administrator they need to request access using Workflow Approval. Since i created the policy based on group, those user are put to two different user group, which are Admin and View user group and mapped to same target device. Administrator and read-only accounts have different command filtering applied to them.

Issue:
Since those users belong to two different user groups, two different policy and two different command filtering, logically speaking those users will have different blacklisted command according to which account they login to. The problem is it's not like that in PAM. Even if those user login as administrator, the blacklisted command from read-only account also applied to them. How am i suppose to approach this?

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------

Jorghy, That's not the point. The point is that you can define different policies with different command filters for the two user entries.
Original Message:
Sent: 10-11-2019 06:04 AM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

Is there different treatment for command filtering for local vs LDAP PAM users?
Original Message:
Sent: 10-10-2019 11:06 PM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Depending on the use cases, and how many users this applies to, it may or may not make sense to create local PAM user entries for affected users, and have them login with the local account to use the accounts with elevated privileges.
Original Message:
Sent: 10-10-2019 10:38 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

True, PAM also give an error PAM-CMN-1034 when i tried to access device with different command filtering applied. Then, do you have any suggestion how to fulfill my customer demand that each user have two different policy per device with different target account and different command filter, the read-only account for day-2-day use and admin (with approval) for something that need more privileges? My thought is to apply only one common command filter and restrict the rest on OS level.
Original Message:
Sent: 10-10-2019 09:40 AM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Hi Jorghy,
No. There is only one set of privileges, one set of device access, one set of command filter policies for a user. When the user logs in, information from all policies that apply to the user will be combined. Command filters are tied to access policies, not to target accounts, and therefore the same no matter which account you pick. Just the fact that you have a single entry per device on the access page should make that clear.
Original Message:
Sent: 10-03-2019 11:36 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

CA PAM v3.2.6

Background:

My customer needs PAM to grant access to some users with accounts that have administrator privileges and account that have read-only privileges on Linux servers. Those users can use read-only account anytime they want, but for administrator they need to request access using Workflow Approval. Since i created the policy based on group, those user are put to two different user group, which are Admin and View user group and mapped to same target device. Administrator and read-only accounts have different command filtering applied to them.

Issue:
Since those users belong to two different user groups, two different policy and two different command filtering, logically speaking those users will have different blacklisted command according to which account they login to. The problem is it's not like that in PAM. Even if those user login as administrator, the blacklisted command from read-only account also applied to them. How am i suppose to approach this?

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------

Oh, i get it now. You mean one user login to PAM using either their LDAP account or local account which binded to different policy and different command filter. Unfortunately in my case, login using LDAP account is a requirement.
Original Message:
Sent: 10-11-2019 10:55 AM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Jorghy, That's not the point. The point is that you can define different policies with different command filters for the two user entries.
Original Message:
Sent: 10-11-2019 06:04 AM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

Is there different treatment for command filtering for local vs LDAP PAM users?
Original Message:
Sent: 10-10-2019 11:06 PM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Depending on the use cases, and how many users this applies to, it may or may not make sense to create local PAM user entries for affected users, and have them login with the local account to use the accounts with elevated privileges.
Original Message:
Sent: 10-10-2019 10:38 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

True, PAM also give an error PAM-CMN-1034 when i tried to access device with different command filtering applied. Then, do you have any suggestion how to fulfill my customer demand that each user have two different policy per device with different target account and different command filter, the read-only account for day-2-day use and admin (with approval) for something that need more privileges? My thought is to apply only one common command filter and restrict the rest on OS level.
Original Message:
Sent: 10-10-2019 09:40 AM
From: Ralf Prigl
Subject: Command filtering for user that belong to two group

Hi Jorghy,
No. There is only one set of privileges, one set of device access, one set of command filter policies for a user. When the user logs in, information from all policies that apply to the user will be combined. Command filters are tied to access policies, not to target accounts, and therefore the same no matter which account you pick. Just the fact that you have a single entry per device on the access page should make that clear.
Original Message:
Sent: 10-03-2019 11:36 PM
From: Jorghy Misnan
Subject: Command filtering for user that belong to two group

CA PAM v3.2.6

Background:

My customer needs PAM to grant access to some users with accounts that have administrator privileges and account that have read-only privileges on Linux servers. Those users can use read-only account anytime they want, but for administrator they need to request access using Workflow Approval. Since i created the policy based on group, those user are put to two different user group, which are Admin and View user group and mapped to same target device. Administrator and read-only accounts have different command filtering applied to them.

Issue:
Since those users belong to two different user groups, two different policy and two different command filtering, logically speaking those users will have different blacklisted command according to which account they login to. The problem is it's not like that in PAM. Even if those user login as administrator, the blacklisted command from read-only account also applied to them. How am i suppose to approach this?

------------------------------
Thank you.
Regards,
Jorghy M.
------------------------------