PIM: Locked out of my system
Article ID: 98440
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Issue/Introduction
I cannot run any selang commands.
Environment
Release:
Component: SEOSNT
Component: SEOSNT
Resolution
If you do not have any rights to administer the product, then you need to find a user that does (typically a domain administrator has those rights). If you are still unsure or unable to authenticate as such a user to then launch selang while we are loaded in the kernel, then you will need to reboot the Windows server into Safe Mode and that should ensure we do not restart with the CA PIM services running.
Once that is done, you can launch a command prompt and type in ‘selang -l’ – which would operate on a selang database, locally. You are then able to edit rules within selang from a local mode while it is not turned on.
1.) Create a terminal for users to access
er TERMINAL hostname_here owner(nobody) defacc(R)
*The TERMINAL is to decide who is allowed to access the machine and from where.
*We put nobody in there as a placeholder because the owner of a rule isn't restricted by the rule. If we don't specify an owner, then the user who created the rule is the owner
*The defacc R is for access, whereas W is for administrative access.
*Defacc() will take effect for all users who aren't explicitly defined via an 'auth TERMINAL' command.
2.) Then we authorize users who can administer selang by giving them a W
auth TERMINAL hostname uid(your_userID_here) acc(R,W)
Once this is completed, you can then verify by perfoming another reboot into standard mode, and you should be able to turn it on issuing a ‘seosd -start’, then the product will come up and then launching ‘selang’ you should be allowed to since the rules from above were entered into selang database locally before.
Once that is done, you can launch a command prompt and type in ‘selang -l’ – which would operate on a selang database, locally. You are then able to edit rules within selang from a local mode while it is not turned on.
1.) Create a terminal for users to access
er TERMINAL hostname_here owner(nobody) defacc(R)
*The TERMINAL is to decide who is allowed to access the machine and from where.
*We put nobody in there as a placeholder because the owner of a rule isn't restricted by the rule. If we don't specify an owner, then the user who created the rule is the owner
*The defacc R is for access, whereas W is for administrative access.
*Defacc() will take effect for all users who aren't explicitly defined via an 'auth TERMINAL' command.
2.) Then we authorize users who can administer selang by giving them a W
auth TERMINAL hostname uid(your_userID_here) acc(R,W)
Once this is completed, you can then verify by perfoming another reboot into standard mode, and you should be able to turn it on issuing a ‘seosd -start’, then the product will come up and then launching ‘selang’ you should be allowed to since the rules from above were entered into selang database locally before.
Feedback
Yes
No
Powered by
