To view the latest 11.3.x version, see  PATROL Agent 11.3.02 Open link .

Defining Access Control Lists

The /AgentSetup/accessControlList variable controls which users are authorized to connect to an agent in which modes from which hosts.

Format and type of data

For each access control list (ACL), the format is a comma-separated list of entries. Each entry has the following format:

UserName/HostName/Mode

UserName is the name of a local account that the connecting console may request to use. It defaults to *. For more information, see HostName and UserName attribute conventions.

HostName is a computer (console) that is authorized to connect to this agent. It defaults to *. For more information, see HostName and UserName attribute conventions.

Mode is a list of application and application modes that are authorized to access the agent:

C–Configure (pconfig, wpconfig, xpconfig)
D–Developer (console)
O–Operator (console)
P–PEM (event manager console)
R–Allow operator overrides
S–System Output Window Display For detailed information about these modes, see the following table.

Note: If the Mode value is missing from an individual ACL entry, it defaults to O (Operator).

Default value

*/*/CDOPSR

Minimum and maximum

Not applicable

Dependencies

None

Recommendation

See the following sections


The following table explains the agent connection modes.


Access Control List connection modes

Mode

Description

C

The C (configure) mode controls the context of commands that are run on the PATROL Agent.

The following commands are run using the console connection account:

  • Commands run from System Output window
  • KM menu commands
  • Agent configuration commands
  • OS commands and tasks
  • PSL commands and tasks

    Note:

    If a command is run from the system command line, the command runs using the credentials of the user logged-on to the system.

D and O

The D (developer) and O (operator) connection modes control the connection type between the agent and console:

  • D allows a developer connection to the agent
  • O allows an operator connection to the agent

    Note: The user must have rights to log on locally to the agent system to connect with the console.

P

The P (PEM) connection mode controls access to the agent using the PEMAPI.

The P mode does not control the availability of the PATROL Event Manager. It controls the following types of access to the PATROL Agent:

  • Access from applications that use PEMAPI functions to connect to the PATROL Agent
  • Connection to the PATROL Agent using the remote PSL functions

R

The R (allow operator overrides) mode allows operator overrides on agents and consoles only if the following variable is set to true in patrol.conf: allowoverrideparameter.

This mode is available only for version 3.4.20 and 3.5.00 or later agents and consoles.

S

The S (System Output Window Display) mode allows display of the interactive operating system prompt if the following variable is set to 1:

/AgentSetup/EnableSysOutputAclCheck

Note

The default account must have C mode access to the PATROL Agent.

Changing connection mode behavior

By default, the PATROL Agent runs discovery, collection, and recovery actions as the defaultaccount, and commands run from the System Output window, InfoBoxes, and menus are run using the console connection account.

The default behavior is changed by using the following PATROL Agent variables:

/AgentSetup/<appl>.OSdefaultAccount" = {REPLACE="<user>"}
/AgentSetup/<appl.inst>.OSdefaultAccount" = {REPLACE="<user>" }
/AgentSetup/<appl>.OSdefaultAccountAppliesToCmds" = {REPLACE="no"}

Was this page helpful? Yes No Submitting... Thank you

Comments