Commmand Policy
5 min
the "reboot" command might be blocked for all users globally, but through an advanced policy , we can grant the "linux administrator" group permission to use it if an advanced rule exists for a command, it overrides the general policy for those specific users, and the advanced rule takes precedence to create an advanced policy , click the add button in the top right corner of the screen and proceed by filling in the required information 1 first step you must assign a name to the advanced policy and select the specific users or user groups to whom this policy will apply 2 second step you add the specific command to be governed by the policy, along with any necessary details (parameters, paths, etc ) 3 third step you must select the policy type there are three options available, and the subsequent steps vary slightly based on your choice a allow if selected, you will be asked to specify the endpoints where this policy is valid and define the behavior for subprocesses b block if selected, you must specify the relevant endpoints and decide whether or not to display a warning notification to the end user when the command is blocked c elevation if selected, you will define the target endpoints and subprocess behavior most importantly, you must configure the approval mechanism whether the command requires otp (one time password) , managerial approval , or both when selecting users in advanced policy , the listed users are those who have been imported into kron pam from active directory local users are not populated or displayed in this section if allow policy is selected, the steps below will be configured if "apply to all agents" is selected, the policy will be received by every endpoint where an agent is installed if block policy is selected, the steps below will be configured if elevation policy is selected,the steps below will be configured