Reference Guide
Policy Management
Policy Groups Definition
policy groups consist of multiple policies if black and white keys are defined in the same policy group, then black keys have higher priority, i e , the system restricts the black key commands first, then allows white key commands if there are specific commands defined as white keys, the system will allow these commands and restrict all other commands navigate to policy > policy group navigate to the policy group field then click on the add button fill in the mandatory fields (name, operation mode, select policy key(s), action) under policy group properties and set the action field as generate error and click save ( use for reservation only option should be enabled if a policy group is used only for reservation more information can be found in section 2 3 3 managerial policy reservation ) operation mode definition operation policy groups are available when devices are in operation mode maintenance policy groups are available when devices are in maintenance mode maintenance mode is set on devices check the device inventory – devices right click the menu section for more information kron pam can send information about executed black key commands to a simple network management protocol (snmp) server snmp trap if the checkbox is selected from the policy key options> general options , an snmp trap is sent to the desired target when a user tries to execute a black key command the target the snmp trap will be sent to can be configured as a property in the system configuration manager the following parameters should be defined in the system configuration manager parameter name parameter value snmp target ip target ip to send the snmp trap to if not defined, localhost is used as the default target ip to send the traps snmp target port target port of the target ip to send the snmp trap to if not defined, 162 is used as the default port snmp community string the preferred community string should be defined if not defined, public is used as the default value when clicking on the policy key actions, general actions, and black key action fields are shown send notifications on policy key execution when the command is run in ssh proxy, an e mail is sent to the user group to inform them if sc policy notification sendapproval useonlydevicerealmmanagers value is false in system configuration manager (default value is false), notification is sent to all managers in the user groups in the session user if it is set as true for this property, a notification e mail is sent to the group managers on the device realms to which the session user is connected if the aioc alert notification mail address is defined on the system config manager, a notification is sent to both all managers and this specific user to get session alerts cluster wide command restriction with this parameter, when a command defined as a black key is executed on a machine in a cluster based system, it cannot be executed on other devices within that group for a specified period of time defining this parameter alone will not enough for cluster based restriction devices defined as a cluster must be added to a group, and the useasclustergroup parameter must be set to true for this device group in the custom properties panel when the useasclustergroup parameter is set to true on device group, users can connect to any device within the device group via ssh the command defined as black key is executed if the same command is executed again in the same session, the system will display a error message informing users that relevant command can’t be executed for a certain period of time additionally, if users connect to another device in the device group via ssh and run the same command again, a warning message will be displayed on the screen informing the user that the command cannot be executed for a certain period of time