Policy Groups Creation

policy groups consist of multiple policies if black and white keys are defined in the same policy group, then black keys have higher priority in other words, if a command allowed by a white key is blockable by a black key, that command will be blocked if there are specific commands defined as white keys and no other keys of any sort in the policy group, the system will allow these commands and block all other commands navigate to policy > policy group navigate to the policy group field then click on the add button fill in the mandatory fields (name, operation mode, select policy key(s), action) under policy group properties and set the action field as generate error and click save ( use for reservation only option should be enabled if a policy group is used only for reservation more information can be found in section 2 3 3 managerial policy reservation ) operation mode definition operation policy groups are available when devices are in operation mode maintenance policy groups are available when devices are in maintenance mode maintenance mode is set on devices check the device inventory – devices right click the menu section for more information kron pam can send information about executed black key commands to a simple network management protocol (snmp) server snmp trap if the checkbox is selected from the policy key options> general options , an snmp trap is sent to the desired target when a user tries to execute a black key command the target of the snmp trap can be configured in the system configuration manager with the following parameters parameter name parameter value snmp target ip target ip to send the snmp trap to if not set, localhost is used as the default target ip to send the traps snmp target port target port of the target ip to send the snmp trap to if not set, 162 is used as the default port snmp community string the preferred community string should be defined if not set, public is used as the default value upon clicking policy key actions , general actions and black key actions are shown send notifications on policy key execution when a command is sent on ssh proxy, kron pam sends an e mail to the user group to inform of the action if sc policy notification sendapproval useonlydevicerealmmanagers value is false in system configuration manager (default value is false), kron pam sends a notification to all each user group manager of the session user, regardless of device realm membership if it is set as true , the notification e mails are only sent to the user group managers that share the device realm with the session user if the aioc alert notification mail address parameter is set on the system config manager, kron pam sends the notification to both the user group managers and this specific mail address cluster wide command restriction with this parameter, when a command defined as a black key is executed on a machine in a cluster based system, it cannot be executed on other devices within that cluster for a specified period of time (seconds) activating this parameter alone is not enough for cluster based restriction to take effect devices in a cluster must be contained within the same device group, and the useasclustergroup parameter must be set to true for this device group in the custom properties panel when the useasclustergroup parameter is set to true on device group, if a user tries to run a black key command twice in quick succession on the same within this cluster during the same session , the system will display an error message informing the user that this command can’t be executed for a certain period of time additionally, if users connect to another device in the device group via ssh and run the same command again, a warning message will be displayed on the screen informing the user that the command cannot be executed for a certain period of time