9 Working with Policies

This chapter provides information about working with Oracle Privileged Account Manager Password Policies and Usage Policies from the Console.

This chapter includes the following sections:

• Section 9.1, "What Are Oracle Privileged Account Manager Policies?"

• Section 9.2, "Working with Password Policies"

• Section 9.3, "Working with Usage Policies"

Note:

You can also manage Oracle Privileged Account Manager policies from the command line or by using Oracle Privileged Account Manager's RESTful interface. For information, refer to

• Section A.3, "Working with Policies" in Appendix A, "Working with the Command Line Tool."

• Section B.4, "Policy Resource" in Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."

9.1 What Are Oracle Privileged Account Manager Policies?

In Oracle Privileged Account Manager, there are two types of policies:

• Password Policy. This policy type captures the password construction rules enforced by a specific target on an associated privileged account. For example, minimum and maximum number of numeric characters. You use a Password Policy to create a password value that Oracle Privileged Account Manager uses to reset a password for a privileged account.

  A Password Policy also governs a password lifecycle, or how often a password must change.

• Usage Policy. This policy type defines when and how a grantee can use a privileged account. (Default is 24x7 access to password checkouts.)

Every privileged account that is managed by Oracle Privileged Account Manager must have an associated Password Policy. A Usage Policy only applies at the level of a grant. You can associate a single Password Policy with multiple privileged accounts and a single Usage Policy with multiple grants.

Note:

For Usage Policies,

• User grants are given first priority.

  If a user has direct access to an account through a user grant, then Oracle Privileged Account Manager applies the Usage Policy that corresponds to that grant.

• If Oracle Privileged Account Manager cannot find a user grant for the user, then it looks for any group grants that grant the user access to that account.

  If the user is a member of multiple granted groups, then Oracle Privileged Account Manager sorts the group names into alphabetical order and uses the Usage Policy assigned to the first group.

  For example, assume you have Group A with corresponding policy UsagePolicyB and Group B with UsagePolicyA. When Oracle Privileged Account Manager sorts the group names, Group A comes first alphabetically, so Oracle Privileged Account Manager will apply UsagePolicyB.

Oracle Privileged Account Manager provides both a Default Password Policy and a Default Usage Policy. You can use these default policies, modify them, or create your own, specialized policies.

Note:

If you want to modify the default policies, Oracle recommends making a back-up copy of the policy before you modify it. Use the export command as described in Section A.8.1, "export Command."

To review the parameter settings for a policy, refer to Section 9.2.2, "Viewing Password Policies" or Section 9.3.2, "Viewing Usage Policies."

Note:

Only administrators with the Security Administrator Admin Role or the User Manager Admin Role can work with policies.

• Administrators with the Security Administrator Admin Role can modify the Default Password Policy and Default Usage Policy, create new policies, or delete policies. (You cannot delete the Default Password Policy or the Default Usage Policy.)

• Administrators with the Security Administrator Admin Role can assign Password Policies, but they cannot assign Usage Policies.

• Administrators with the User Manager Admin Role can only assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

  Administrators with the User Manager Admin Role cannot assign Password Policies.

9.2 Working with Password Policies

This section describes the different tasks an administrator performs when working with Password Policies.

The topics include:

• Section 9.2.1, "Searching for Password Policies"

• Section 9.2.2, "Viewing Password Policies"

• Section 9.2.3, "Modifying the Default Password Policy"

• Section 9.2.4, "Creating a Password Policy"

• Section 9.2.5, "Assigning Password Policies"

• Section 9.2.6, "Deleting Password Policies"

9.2.1 Searching for Password Policies

To search for a Password Policy,

1. Select Password Policies from the Administration accordion.

2. When the Search Policies portlet displays, enter your search criteria into one or more of the following fields.

   • Policy Name: Enter all or any part of a policy name.

   • Policy Status: Select All (default) from the menu to search for all policies (active and inactive). Select Active or Disabled to limit the search to just active or inactive policies.

3. Click Search.

Review your search results in the Search Results table.

9.2.2 Viewing Password Policies

To review the parameter settings for a Password Policy,

1. Select Password Policies from the Administration accordion.

2. When the Policies page displays, click Search.

   The existing Password Policies will display in the Search Results table.

3. Use one of the following methods to open a policy:

   • Click the Row number next to the policy name and then click the Open icon located above the Search Results table.

   • Click the policy name (an active link) in the Search Results table.

     For example, clicking the Default Password Policy link opens the Password Policy: Default Password Policy page.

   A Password Policy page contains three tabs:

   • General. Contains parameters used to specify general information about the policy and Password Lifecycle Rules for the policy. Password Lifecycle Rules govern when Oracle Privileged Account Manager must automatically reset an account password.

   • Password Complexity Rules. Contains parameters that govern the complexity requirements for account passwords.

   • Privileged Accounts. Provides information about the privileged accounts currently using that Password Policy.

9.2.3 Modifying the Default Password Policy

After evaluating the Default Password Policy, you may decide you want to modify the settings to better suit your environment.

Note:

Oracle recommends making a back-up copy of the Default Password Policy before you modify it. You can use the export command as described in Section A.8.1, "export Command."

To modify the Default Password Policy,

1. Select Password Policies from the Administration accordion.

2. When the Password Policies page displays, click Search to populate the Search Results table.

3. Click the Default Password Policy link in the Search Results table to open the Password Policy: Default Password Policy page.

4. Select the General tab to modify the Description in the General Fields area or to modify any of the following Password Lifecycle Rules:

   Note:

   You cannot edit the Policy Name or Policy Status values for this policy.

   Parameter	Description
   Save password history for	Use the counter and drop menus to specify how many days to save the password history for an account. The password history includes when accounts are checked out, checked in, and when their passwords were reset.
   Expire password after	Use the counter and drop menus to specify a duration period (number of days, hours, or minutes) after which Oracle Privileged Account Manager must automatically reset the account password. For example, if your enterprise wants a security policy where account passwords must be changed every month, you would set this value to 30 days. Every time the account is checked out and its password gets changed (if the policy is configured so that passwords must be changed on checkout/check-in) Oracle Privileged Account Manager tracks the password change time. If Oracle Privileged Account Manager detects the account is idle and no password changes have occurred over the specified number of days, then Oracle Privileged Account Manager automatically resets the password to a new, randomized value, which helps the enterprise to automatically enforce the security policy without human intervention. To disable this automatic reset option, set the numeric value to 0. Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts where the password maximum age has expired and resets them as described in this section. By default, the scheduler makes this check every 60 minutes (based on the passwordcyclerinterval property in the OPAM Global Config configuration entry, whose default setting is 60 minutes). You can view and modify the current interval by using Oracle Privileged Account Manager's getconfig and modifyconfig command line options. For more information, refer to Section A.2.1, "getconfig Command" and to Section A.2.3, "modifyconfig Command."
   Reset password on check-in	Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a check-in operation. Uncheck this box if you do not want the password to be reset during the check-in operation.
   Reset password on check-out	Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a checkout operation. Uncheck this box if you do not want the password to be reset during the checkout operation.

   
   

   Note:

   • An administrator with the Security Administrator Admin Role can also manually reset a password by using the Reset Password option (described in Section 8.8.3, "Resetting an Account Password") and Oracle Privileged Account Manager tracks this password change time as well.

   • For higher security, the Reset password on check-in and Reset password on check-out options are both enabled by default, but they can be disabled if required. For example, some enterprises may only require that passwords be reset every 30 days.

   • If your enterprise prefers that passwords not be automatically managed at all; that they are only changed through human intervention, disable all three Password Lifecycle Rules options.

     However, after disabling these three options, the only way to manually change passwords is by using the Reset Password option (described in Section 8.8.3, "Resetting an Account Password"). Oracle Privileged Account Manager is still useful in this case, as you can reset and centrally manage passwords for multiple systems from one place by using Oracle Privileged Account Manager.

5. Select the Password Complexity Rules tab to change one or more of the parameters that define the default password requirements.

   Parameter	Description
   Characters for Password	Specify the minimum and maximum number of characters required.
   Alphabetic Characters	Specify the minimum number of alphabetic characters required.
   Numeric Characters	Specify the minimum number of numeric characters required.
   Alphanumeric Characters	Specify the minimum number of alphanumeric characters required.
   Special Characters	Specify the minimum and maximum number of special characters (such as * or @) required.
   Repeated Characters	Specify the minimum and maximum number of repeated characters allowed.
   Unique Characters	Specify the minimum number of unique characters required.
   Uppercase Characters	Specify the minimum number of uppercase characters required.
   Lowercase Characters	Specify the minimum number of lowercase characters required.
   Start with Character (not digit)	Specify the first character required to start a password.
   Required Characters	Specify which characters are required in a password.
   Allowed Characters	Specify which characters are permitted in a password.
   Disallowed Characters	Specify which characters are not permitted in a password.
   Disallowed as Password	Enable (check) the Account Name box to prohibit the use of an account name in the password.

   
   

6. Select the Privileged Accounts tab to review which accounts are currently using the Default Password Policy.

   Note:

   To specify a different Password Policy for any account listed in the table, click the Account Name link. When the Account page displays, select a different policy name from the Password Policy menu.

7. When you are finished editing the policy, click Apply to save your changes.

9.2.4 Creating a Password Policy

To create a Password Policy,

1. Select Password Policies from the Administration accordion.

2. When the Password Policies page displays, click Create at the top of the Search Results table.

   A new, Password Policy: Untitled page displays with three tabs.

3. Provide the following information on the General tab:

   1. Policy Name: Enter a name for the new policy.

   2. Policy Status: Click the button to specify whether the policy is Active or Disabled.

      Making the policy Active puts that policy into effect for all of the associated accounts and grants.

      Disabling a policy applies the Default Password Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.

   3. Description (optional): Enter a descriptive statement about the new policy.

   4. Password Lifecycle Rules: Configure these parameters to enable Oracle Privileged Account Manager to auto-generate and set a randomized account password under certain conditions, as described in step 4.

4. Select the Password Complexity Rules tab to specify password complexity rules for this policy. Refer to the table provided in step 5 for a description of these parameter settings.

5. Select the Privileged Accounts tab to assign the new policy to accounts or grantees. Refer to Section 9.2.5, "Assigning Password Policies" for detailed instructions.

   After assigning this Password Policy to privileged accounts, you can select the Privileged Accounts tab to review which accounts are currently using this policy.

6. Click Save.

9.2.5 Assigning Password Policies

When you add a new privileged account, Oracle Privileged Account Manager automatically assigns the Default Password Policy to that account. However, if you have created other Password Policies, as described in Section 9.2.4, "Creating a Password Policy," you can assign a different policy to the account.

Note:

Only administrators with the Security Administrator Admin Role can assign Password Policies to accounts.

You can assign Password Policies to an account

• From the Accounts Page

• From the Targets Page

• From the Password Policies Page

From the Accounts Page

To assign a Password Policy from the Accounts page,

1. Locate the account where you want to assign the policy.

   1. Select Accounts in the Administration accordion.

   2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search. For example, if you know the account is assigned to a UNIX target, select unix from the Target Type menu.

2. When the Search Results display, click the account's Account Name link in the table to open the Account: AccountName page.

3. On the General tab, select a different policy name from the Password Policy menu.

4. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager.

   If the test is successful, you should see a "Test Succeeded" message.

5. Click Apply to finish assigning the policy to the selected account.

From the Targets Page

To assign a Password Policy from the Targets page,

1. Locate the target where the account is located.

   1. Select Targets in the Administration accordion.

   2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.

      To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.

2. Click the account's Target Name link in the Search Results table to open the Target: TargetName page.

3. Click the Privileged Accounts tab to view a list of the accounts currently managed on the target.

   Notice that the table lists the Password Policy that is currently assigned to each account.

4. Locate the account in the Privileged Accounts table, and then click the Account Name link.

5. When the General tab displays, select a different policy name from the Password Policy menu.

6. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager.

   If the test is successful, you should see a "Test Succeeded" message.

7. Click Apply to finish assigning the policy to the selected account.

From the Password Policies Page

To assign a Password Policy from the Policies page,

1. Locate the Password Policy that you want to assign to the account.

   1. Select Password Policies in the Administration accordion.

   2. Click Search in the Search Policies portlet to populate the Search Results table with a list of all available Password Policies.

      To narrow the results or to locate a particular policy, enter search criteria in one or more the Search Policies fields, and then click Search.

2. Locate the policy in the Search Results table, and then click the Policy Name link to open the Password Policy: PolicyName page.

3. Select the Privileged Accounts tab.

4. Locate the account and click the Account Name link to open the Account: AccountName page.

5. When the General tab displays, select a different policy name from the Password Policy menu.

6. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager.

   If the test is successful, you should see a "Test Succeeded" message.

7. Click Apply to finish assigning the policy to the selected account.

9.2.6 Deleting Password Policies

Note:

You cannot delete the Default Password Policy.

To delete a Password Policy,

1. Locate and select the policy to be deleted.

2. Click the Delete icon.

3. When the Confirm Remove dialog displays, click the Remove button.

   The policy is immediately deleted. If you had any accounts assigned to that policy, they will all revert to using the Default Password Policy.

9.3 Working with Usage Policies

This section describes the different tasks an administrator performs when working with Usage Policies.

The topics include:

• Section 9.3.1, "Searching for Usage Policies"

• Section 9.3.2, "Viewing Usage Policies"

• Section 9.3.3, "Modifying the Default Usage Policy"

• Section 9.3.4, "Creating a Usage Policy"

• Section 9.3.5, "Assigning Usage Policies"

• Section 9.3.6, "Deleting Usage Policies"

9.3.1 Searching for Usage Policies

To search for a Usage Policy,

1. Select Usage Policies from the Administration accordion.

2. When the Search Policies portlet displays, enter your search criteria into one or more of the following fields.

   • Policy Name: Enter all or any part of a policy name.

   • Policy Status: Select All (default) from the menu to search for all policies (active and inactive). Select Active or Disabled to limit the search to just active or inactive policies.

3. Click Search.

Review your search results in the Search Results table.

9.3.2 Viewing Usage Policies

To review the parameter settings for a Usage Policy,

1. Select Usage Policies from the Administration accordion.

2. When the Policies page displays, click Search.

   The existing policies will display in the Search Results table.

3. Use one of the following methods to open a policy:

   • Click the Row number next to the policy name and then click the Open icon located above the Search Results table.

   • Click the policy name (an active link) in the Search Results table.

     For example, clicking the Default Usage Policy link opens the Usage Policy: Default Usage Policy page.

   The Usage Policy page contains three tabs:

   • General Fields. Contains parameters used to specify general information about the policy.

   • Usage Rules. Contains parameters that govern the time zone to be associated with checking out a privileged account, when the account can be checked out, and when the check out expires.

   • Grantees. Provides information about the grantees who are authorized to use that account.

9.3.3 Modifying the Default Usage Policy

After evaluating the Default Usage Policy, you may decide you want to modify the settings to better suit your environment.

Note:

Oracle recommends making a back-up copy of the Default Usage Policy before you modify it. You can use the export command as described in Section A.8.1, "export Command."

To modify the Default Usage Policy,

1. Select Usage Policies from the Administration accordion.

2. When the Usage Policies page displays, click Search to populate the Search Results table.

3. Select the Default Usage Policy link in the Search Results table to open the Usage Policy: Default Usage Policy page.

4. Select the General Fields tab, where you can modify one or both of the following parameters:

   Note:

   You cannot edit the Policy Name or Policy Status values for this policy.

   • Description: Highlight and delete the existing text, and then enter your new description.

   • Allow Checkout Type: Use this menu to specify one of the following checkout options for this policy:

     • All: Allow users to check out passwords and sessions.

     • password (default): Allow users to only check out passwords.

     • session: Allow users to only check out sessions.

   • Enable Session Recording: Select to enable session recording when this Usage Policy is applied to a session checkout.

     Refer to Section 8.7, "Viewing a Session Recording" for more information about session recordings.

5. Select the Usage Rules tab to change one of more of following parameter settings:

   Parameter	Description
   Timezone	Select a time zone from the menu to indicate when the policy will be applied. For example, if you set the time zone to GMT, and the policy allows check-outs between 9am to 5pm, you can only check out between 9am-5pm GMT, and not PST.
   Permitted Usage Dates	Use the Monday through Sunday checkboxes and the From and To drop menus to specify when grantees are allowed to use the account. Select one or more days of the week and the periods of time when grantees can access this account. (Default access is 24x7.)
   Expiration	Enable one of the following options to change when grantees' access to the account expires: Automatically check in account. Use the counter to specify the number of minutes after last check out. Automatically check in account on this date. Click the Calendar icon to open a Select Date and Time dialog. Use the month and year menus or click a day in the calendar to specify an expiration date. Use the hours, minutes, and seconds menus and enable the AM or PM buttons to specify an expiration time. Never expire. No expiration period is required for the account. Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts that have passed their specified expiration period and resets them as described in this section. The scheduler makes this check every 60 minutes by default (based on the policyenforcerinterval property in the OPAM Global Config configuration entry, whose default setting is 60 minutes). You can view and modify the current interval by using Oracle Privileged Account Manager's getconfig and modifyconfig command line options. For more information, refer to Section A.2.1, "getconfig Command" and to Section A.2.3, "modifyconfig Command."

   
   

   Note:

   If you are configuring a Usage Policy for a shared privileged account, it is prudent to configure an Automatic check-in option to ensure the account gets checked-in and the password gets cycled in a timely manner.

   In addition, consider limiting how many users can access the shared account and further segregate these users by specifying when they can access the account. By specifying which days of the week and what times of the day each user can access the account, you minimize overlapping checkouts and improve Oracle Privileged Account Manager's auditing ability.

   For more information about shared accounts, refer to Section 2.4.2, "Securing Shared Accounts."

6. Select the Grantees tab to view which grantees this policy is assigned.

   Note:

   To specify a different Usage Policy for any grantee listed in the table, click the Account Name link. When the Account page displays, select a different policy name from the Usage Policy menu.

   Tip:

   Clicking the active links in the Grantee Name or Account Name columns enable you to navigate to other screens for additional information.

7. When you are finished editing the policy, click Apply to save your changes.

9.3.4 Creating a Usage Policy

To create a Usage Policy,

1. Select Usage Policies from the Administration accordion.

2. When the Policies page displays, click Create at the top of the Search Results table.

   A new, Usage Policy: Untitled page displays with three tabs.

3. Provide the following information on the General tab:

   1. Policy Name: Enter a name for the new policy.

   2. Policy Status: Click the button to specify whether the policy status is Active or Disabled.

      Making the policy Active puts that policy into effect for the associated accounts and grants.

      Disabling a policy applies the Default Usage Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.

   3. Description (optional): Enter a descriptive statement about the new policy.

   4. Allow Checkout Type: Use this menu to specify one of the following checkout options for this policy:

      • All: Allow users to check out passwords and sessions.

      • password (default): Allow users to only check out passwords.

      • session: Allow users to only check out sessions.

   5. Enable Session Recording: Select to enable session recording when this Usage Policy is applied to a session checkout.

      Refer to Section 8.7, "Viewing a Session Recording" for more information about session recordings.

4. Select the Usage Rules tab to define rules for using a privileged account. Refer to the table in step 5 for a description of these parameter settings.

5. Select the Grantees tab to assign the new policy to accounts or grantees. Refer to Section 9.3.5, "Assigning Usage Policies" for detailed instructions.

   After assigning this policy, you can select the Grantees tab to review which users or groups are using this policy.

6. Click Save.

9.3.5 Assigning Usage Policies

When you create a new privileged account, Oracle Privileged Account Manager automatically assigns the Default Usage Policy to that account. However, if you have created additional Usage Policies, as described in Section 9.3.4, "Creating a Usage Policy," then you can assign a different policy to the account.

Note:

• Administrators with the Security Administrator Admin Role can assign Usage Policies to accounts. However, this role can only apply a Usage Policy at the account level.

• Administrators with the User Manager Admin Role can assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

You can assign a different Usage Policy

• From the Accounts Page

• From the Targets Page

• From the Usage Policies Page

Note:

• When you add grantees to an account, as described in Section 10.2, "Granting Accounts to Users" or Section 10.3, "Granting Accounts to Groups," Oracle Privileged Account Manager adds the user or group name to the Users or Groups table on the Grants tab and automatically assigns the Default Usage Policy.

• When you create a new Usage Policy for an account, the new policy is not automatically assigned to the existing grantees on that account. Oracle Privileged Account Manager allows you to assign customized policies to individual grantees, so you do not want the new policy to override those other policy assignments.

  However, if you create a new policy for an account and then add new grantees, those (and future) grantees will automatically be associated with that policy because it has become the new Default Usage Policy for the account.

From the Accounts Page

To assign a Usage Policy from the Accounts page,

1. Locate the account where you want to assign the policy.

   1. Select Accounts in the Administration accordion.

   2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.

      To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.

2. Locate the account's Account Name link to open the Account: AccountName page.

3. Select the Grants tab.

4. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

5. Click Apply to add your changes.

From the Targets Page

To assign a Usage Policy from the Targets page,

1. Locate the target where the account is located.

   1. Select Targets in the Administration accordion.

   2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.

      To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.

2. Click the account's Target Name in the Search Results table to open that target.

3. When the Target: TargetName page displays, click the Grants tab to view a list of the grantees currently granted access to that account.

   Notice that the table lists the Usage Policy that is currently assigned to each grantee.

4. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

5. Click Apply to finish assigning the policy to the selected account.

From the Usage Policies Page

To assign a Usage Policy from the Policies page,

1. Locate the Usage Policy that you want to assign to the account.

   1. Select Usage Policies in the Administration accordion.

   2. Click Search in the Search Policies portlet to populate the Search Results table with a list of all available Usage Policies.

      To narrow the results or to locate a particular policy, enter search criteria in one or more the Search Policies fields, and then click Search.

2. When the search results display, locate the policy you want to assign. Click the Policy Name link to open the Usage Policy: PolicyName page.

3. Select the Grantees tab.

4. Locate the user or group name in the Grantees table and then click that grantee's Account Name link to open the account.

5. When the Account: AccountName page displays, click the Grants tab.

6. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

7. Click Apply to add your changes.

9.3.6 Deleting Usage Policies

Note:

You cannot delete the Default Usage Policy.

To delete a Usage Policy,

1. Locate and select the policy to be deleted.

2. Click the Delete icon.

3. When the Confirm Remove dialog displays, click the Remove button.

   The policy is immediately deleted. If you had any accounts assigned to that policy, they will all revert to using the Default Usage Policy.