CA PIM infrastructure, New DH__ hosts. Terminal rules

book

Article ID: 101608

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Currently, we have an AD hosted account which we use to access and administer our windows based CA PIM infrastructure (both DMS__ and DH) Due to business changes, we need to vacate the usage of this account and move to using locally hosted accounts to access and administer our CA PIM Infrastructure. Brief synopsis of our environment:

<hostname>NTM/DMS__
<Hostname> DH__
<Hostname>DH__
<Hostname> DH__
<Hostname> DH__
<Hostname> DH__

Today we use this account: <accountname> Going forward, we need to use the local account "<accountname>" on each of the hosts. In addition to the local account "<accountname>" I have created a local group called "<groupname>" on each of the systems and made "<accountname>" a member. My question is: Do I need to define these local users/groups in CA Access Control and authorize them to use the terminal on each host so that things will work properly?

Cause

Needed new TARMINAL rules for the DH__ hosts and access to them

Environment

PIM: 12.8 SP1
OS: Windows

Resolution


Need to create all the terminal records for DH__s in the DMS__ 
and then auth the users
It’s not needed to do that on the DH__WRITER, but it can be done. 

Example:
To prevent any user from logging in from the terminal tty123, need to specify nobody as the owner:

newres TERMINAL tty123.abc.com defaccess(none) owner(nobody)
To permit a user to log in from a particular terminal, need to enter the following command:

authorize TERMINAL tt123.abc.com uid(user1) access(R W)
This command permits user1 to log in from terminal tty123.

Permission to use a terminal can also be granted to a group. For example, the following command permits members of the group group1 to use the terminal tty34:

authorize TERMINAL tty123.abc.com gid(group1) access(R W)