10 Working with Policies

This chapter introduces Oracle Privileged Account Manager policies and describes how administrators can configure and manage policies from the Console.

This chapter includes the following sections:

Section 10.1, "What Are Oracle Privileged Account Manager Policies?"
Section 10.2, "Working with Password Policies"
Section 10.3, "Working with Usage Policies"

Note:

Administrators can also manage Oracle Privileged Account Manager policies from the command line or by using Oracle Privileged Account Manager's RESTful interface. For information, refer to

10.1 What Are Oracle Privileged Account Manager Policies?

In Oracle Privileged Account Manager, there are two types of policies:

Password Policies define the password construction rules to be enforced by a specific target on an associated privileged account. This policy type also governs the password's lifecycle, or how often the password must be changed.

For example, a Password Policy might require a minimum and maximum number of numeric characters in a password and require that a password must be changed every five days.

You can also use a Password Policy to create passwords that enable Oracle Privileged Account Manager to reset the password for a privileged account.
Usage Policies define when and how grantees can use a privileged account.

You can also configure Usage Policies to constrain and enforce which tasks users are allowed to perform when they have session access.

Every privileged account that is managed by Oracle Privileged Account Manager must have an associated Password Policy. A Usage Policy only applies at the level of a grant. You can associate a single Password Policy with multiple privileged accounts and a single Usage Policy with multiple grants.

Note:

For information about how grants are applied for Usage Policies, refer to Section 10.3.1.1, "Understanding How Grants are Applied."

Oracle Privileged Account Manager provides both a Default Password Policy and a Default Usage Policy. You can use these default policies, modify them, or create your own, specialized policies. Refer to Section 10.2, "Working with Password Policies" and Section 10.3, "Working with Usage Policies," respectively, for more information.

Note:

You cannot delete the Default Password Policy or the Default Usage Policy.

Table 10-1 describes which Admin Roles can work with Oracle Privileged Account Manager policies and it describes which tasks each Admin Role can and cannot perform.

Table 10-1 Which Admin Roles Can Work with Policies

Administrators with this Admin Role	Can Perform this Task	Cannot Perform this Task
Security Administrator	Modify the Default Password Policy and Default Usage Policy Create new Password Policies and Usage Policies Delete Password Policies and Usage Policies Assign Password Policies	Assign Usage Policies
User Manager	Assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.	Assign Password Policies

10.2 Working with Password Policies

This section describes the different tasks an administrator performs when working with Password Policies.

Note:

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to work with and assign Password Policies.

The topics include:

Section 10.2.1, "Searching for Password Policies"
Section 10.2.2, "Viewing Password Policies"
Section 10.2.3, "Modifying the Default Password Policy"
Section 10.2.4, "Creating a Password Policy"
Section 10.2.5, "Assigning Password Policies"
Section 10.2.6, "Deleting Password Policies"

10.2.1 Searching for Password Policies

To search for a Password Policy,

Select Password Policies from the Administration accordion.
When the Search Policies portlet is displayed, enter your search criteria into one or more of the following fields.
- Name: Enter all or any part of a policy name.
- Status: Choose one of the following options from the menu.
  - Select All (default) to search for all policies (active and inactive).
  - Select Active or Disabled to limit the search to just active or just inactive policies.
Click Search.

The results are displayed in the Search Results table, which includes the Name and Status.

10.2.2 Viewing Password Policies

To review the parameter settings for a Password Policy,

Select Password Policies from the Administration accordion.
When the Policies page is displayed, click Search.

The existing Password Policies are displayed in the Search Results table.
Use one of the following methods to open a policy:
- Click the row number next to the name of the policy, and then click the Open icon located above the Search Results table.
- Click the name (an active link) in the Search Results table.
  
  For example, clicking the Default Password Policy link opens the Password Policy: Default Password Policy page.
A Password Policy page contains three tabs:
- General. Select this tab to specify general information about the policy and to configure Password Lifecycle Rules for the policy.
  
  Password Lifecycle Rules govern when Oracle Privileged Account Manager must automatically reset an account password. Refer to Table 10-2, "Password Lifecycle Rules Parameters" for a description of these parameters.
- Password Complexity Rules. Select this tab to set the rules that govern the complexity requirements for account passwords. Refer to Table 10-3, "Password Complexity Rules Parameters" for a description of these parameters.
- Privileged Accounts. Select this tab to view information about the privileged accounts currently using the selected Password Policy.

10.2.3 Modifying the Default Password Policy

After evaluating the Default Password Policy, you may decide you want to modify the settings to better suit your environment.

Note:

Oracle recommends making a back-up copy of the Default Password Policy before you make any changes. You can use the export command as described in Section A.10.1, "export Command."

To modify the Default Password Policy,

Select Password Policies from the Administration accordion.
When the Password Policies page is displayed, click Search to populate the Search Results table.
Click the Default Password Policy link in the Search Results table to open the Password Policy: Default Password Policy page.

Select the General tab to modify the Description in the General Fields area or to modify any of the following Password Lifecycle Rules:

Note:

You cannot edit the Name or Status values for this policy.

Table 10-2 Password Lifecycle Rules Parameters

Parameter	Description
Save password history for	Use the counter and drop menus to specify how many days to save the password history for an account. The password history includes when accounts are checked out, checked in, and when their passwords were reset.
Expire password after	Use the counter and drop menus to specify a duration period (number of days, hours, or minutes) after which Oracle Privileged Account Manager must automatically reset the account password. For example, if your enterprise wants a security policy where account passwords must be changed every month, you would set this value to 30 days. Every time the account is checked out and its password gets changed (if the policy is configured so that passwords must be changed on checkout/check-in) Oracle Privileged Account Manager tracks the password change time. If Oracle Privileged Account Manager detects the account is idle and no password changes have occurred over the specified number of days, then Oracle Privileged Account Manager automatically resets the password to a new, randomized value, which helps the enterprise to automatically enforce the security policy without human intervention. To disable this automatic reset option, set the numeric value to 0. Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts where the password maximum age has expired and resets them as described in this section. By default, the scheduler makes this check every 60 minutes (based on the `passwordcyclerinterval` property in the OPAM Global Config configuration entry, whose default setting is 60 minutes). You can view and modify the current interval by using Oracle Privileged Account Manager's `getconfig` and `modifyconfig` command line options. For more information, refer to Section A.2.1, "`getconfig` Command" and to Section A.2.3, "`modifyconfig` Command."
Reset password on check-in	Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a check-in operation. Uncheck this box if you do not want the password to be reset during the check-in operation.
Reset password on check-out	Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a checkout operation. Uncheck this box if you do not want the password to be reset during the checkout operation.

Note:

An administrator with the Security Administrator Admin Role can also manually reset a password by using the Reset Password option (described in Section 9.8.3, "Resetting an Account Password") and Oracle Privileged Account Manager tracks this password change time as well.
For higher security, the Reset password on check-in and Reset password on check-out options are both enabled by default, but they can be disabled if required. For example, some enterprises may only require that passwords be reset every 30 days.
If your enterprise prefers that passwords not be automatically managed at all; that they are only changed through human intervention, disable all three Password Lifecycle Rules options.

However, after disabling these three options, the only way to manually change passwords is by using the Reset Password option (described in Section 9.8.3, "Resetting an Account Password"). Oracle Privileged Account Manager is still useful in this case, as you can reset and centrally manage passwords for multiple systems from one place by using Oracle Privileged Account Manager.

Select the Password Complexity Rules tab to change one or more of the parameters that define the default password requirements.

Table 10-3 Password Complexity Rules Parameters

Parameter	Description
Characters for Password	Specify the minimum and maximum number of characters required.
Alphabetic Characters	Specify the minimum number of alphabetic characters required.
Numeric Characters	Specify the minimum number of numeric characters required.
Alphanumeric Characters	Specify the minimum number of alphanumeric characters required.
Special Characters	Specify the minimum and maximum number of special characters (such as `*` or `@`) required.
Repeated Characters	Specify the minimum and maximum number of repeated characters allowed.
Unique Characters	Specify the minimum number of unique characters required.
Uppercase Characters	Specify the minimum number of uppercase characters required.
Lowercase Characters	Specify the minimum number of lowercase characters required.
Start with Character (not digit)	Specify the first character required to start a password.
Required Characters	Specify which characters are required in a password.
Allowed Characters	Specify which characters are permitted in a password.
Disallowed Characters	Specify which characters are not permitted in a password.
Disallowed as Password	Enable (check) the Account Name box to prohibit the use of an account name in the password.

Select the Privileged Accounts tab to review which accounts are currently using the Default Password Policy.

Note:
To specify a different Password Policy for any account listed in the table, click the Account Name link. When the Account page is displayed, select a different policy name from the Password Policy menu.
When you are finished editing the policy, click Apply to save your changes.

10.2.4 Creating a Password Policy

To create a Password Policy,

Select Password Policies from the Administration accordion.
When the Password Policies page is displayed, click Create at the top of the Search Results table.

A new, "Password Policy: Untitled" page is displayed with three tabs.
Provide the following information on the General tab:
1. Name: Enter a name for the new policy.
2. Status: Click the Active or Disabled button to specify whether the policy is active or disabled.
  
  Making the policy Active puts that policy into effect for all of the associated accounts and grants.
  
  Disabling a policy applies the Default Password Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.
3. Description (optional): Enter a descriptive statement about the new policy.
4. Password Lifecycle Rules: Configure these parameters to enable Oracle Privileged Account Manager to auto-generate and set a randomized account password under certain conditions. Refer to Table 10-2, "Password Lifecycle Rules Parameters" for more information.
Select the Password Complexity Rules tab to specify password complexity rules for this policy. Refer to Table 10-3, "Password Complexity Rules Parameters" for a description of these parameter settings.
Select the Privileged Accounts tab to assign the new policy to accounts or grantees. Refer to Section 10.2.5, "Assigning Password Policies" for detailed instructions.

After assigning this Password Policy to privileged accounts, you can select the Privileged Accounts tab to review which accounts are currently using this policy.
Click Save.

10.2.5 Assigning Password Policies

When you add a new privileged account, Oracle Privileged Account Manager automatically assigns the Default Password Policy to that account. However, if you have created other Password Policies, as described in Section 10.2.4, "Creating a Password Policy," you can assign a different policy to the account.

Note:

Only administrators with the Security Administrator Admin Role can assign Password Policies to accounts.

You can assign Password Policies to an account

From the Accounts Page
From the Targets Page
From the Password Policies Page

From the Accounts Page

To assign a Password Policy from the Accounts page,

Locate the account where you want to assign the policy.
1. Select Accounts in the Administration accordion.
2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.
  
  To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search. For example, if you know the account is assigned to a UNIX target, select unix from the Target Type menu.
When the Search Results display, click the account's Account Name link in the table to open the Account: AccountName page.
On the General tab, select a different policy name from the Password Policy menu.
After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager.

If the test is successful, a "Test Succeeded" message is displayed.
Click Apply to finish assigning the policy to the selected account.

From the Targets Page

To assign a Password Policy from the Targets page,

Locate the target where the account is located.
1. Select Targets in the Administration accordion.
2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.
  
  To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.
Click the target name of the account (an active link) in the Search Results table to open the Target: TargetName page.
Click the Privileged Accounts tab to view a list of the accounts currently managed on the target.

Notice that the table lists the Password Policy that is currently assigned to each account.
Locate the account in the Privileged Accounts table, and then click the name of the account, which is an active link.
When the General tab is displayed, select a different policy name from the Password Policy menu.
After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager.

If the test is successful, a "Test Succeeded" message is displayed.
Click Apply to finish assigning the policy to the selected account.

From the Password Policies Page

To assign a Password Policy from the Policies page,

Locate the Password Policy that you want to assign to the account.
1. Select Password Policies in the Administration accordion.
2. Click Search in the Search Policies portlet to populate the Search Results table with a list of all available Password Policies.
  
  To narrow the results or to locate a particular policy, enter search criteria in one or more the Search Policies fields, and then click Search.
Locate the policy in the Search Results table, and then click the name of the password policy (an active link) to open the "Password Policy: PolicyName" page.
Select the Privileged Accounts tab.
Locate the account and click the name of the account (an active link) to open the "Account: AccountName" page.
When the General tab is displayed, select a different policy name from the Password Policy menu.
After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager.

If the test is successful, a "Test Succeeded" message is displayed.
Click Apply to finish assigning the policy to the selected account.

10.2.6 Deleting Password Policies

Note:

You cannot delete the Default Password Policy.

To delete a Password Polic y,

Locate and select the policy to be deleted.
Click Delete.
When the Confirm Remove dialog box is displayed, click Remove.

The policy is immediately deleted. If you had any accounts assigned to that policy, they will all revert to using the Default Password Policy.

10.3 Working with Usage Policies

This section describes the different tasks an administrator performs when working with Usage Policies.

Note:

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to work with (search, create, modify, or delete) Usage Policies.
You must be an Oracle Privileged Account Manager administrator with the User Manager Admin Role to assign Usage Policies.

The topics include:

Section 10.3.1, "Before You Begin"
Section 10.3.2, "Searching for Usage Policies"
Section 10.3.3, "Viewing Usage Policies"
Section 10.3.4, "Modifying the Default Usage Policy"
Section 10.3.5, "Creating a Usage Policy"
Section 10.3.6, "Assigning Usage Policies"
Section 10.3.7, "Deleting Usage Policies"

10.3.1 Before You Begin

Before you start working with Usage Policies, you should understand the concepts described in the following sections:

Section 10.3.1.1, "Understanding How Grants are Applied"
Section 10.3.1.2, "Configuring Usage Policies for Users with Session Access"

10.3.1.1 Understanding How Grants are Applied

A Usage Policy only applies at the level of a grant. For Usage Policies, Oracle Privileged Account Manager applies grants in the following order:

User grants are given first priority.

If a user has direct access to an account through a user grant, then Oracle Privileged Account Manager applies the Usage Policy that corresponds to that grant.
If Oracle Privileged Account Manager cannot find a user grant for the user, then it looks for any group grants that grant the user access to that account.

If the user is a member of multiple granted groups, then Oracle Privileged Account Manager sorts the group names into alphabetical order and uses the Usage Policy assigned to the first group.

For example, assume you have Group A with corresponding policy UsagePolicyB and Group B with UsagePolicyA. When Oracle Privileged Account Manager sorts the group names, Group A comes first alphabetically, so Oracle Privileged Account Manager will apply UsagePolicyB.

10.3.1.2 Configuring Usage Policies for Users with Session Access

Oracle Privileged Session Manager supports SSH in both interactive (shell) mode and non-interactive (Exec) mode. Users can also copy files from a target by using Secure Copy (SCP).

You can configure the Usage Policy to constrain and enforce which tasks the privileged users are allowed to perform when they have session access. You can apply this control at the following levels:

Session mode level: In this mode, you can control whether the user can use SCP or start an SSH session in Interactive or Non-Interactive modes.
- Interactive mode: In this mode, the user can start a shell with the target.
- Non-Interactive mode: In this mode, the user can execute a command remotely.
Command level: In this mode, you can control which commands the user can execute on the target system in a SSH session.

If you enable either interactive or non-interactive mode, then you can use Oracle Privileged Session Manager's command control and replacement feature.

Command Control

Using a whitelist or blacklist of commands, you can configure the commands that a user can or cannot execute on the target.

Note:

The commands in the list use java regular expression syntax.

For example, if you specify ls.* all the commands that start with ls will be matched.

The following list describes how the whitelist and blacklist must be used:

Whitelist: Use a whitelist to restrict the allowed commands to a defined set. This is the recommended option.
Blacklist: Use a blacklist to prevent unintentional usage of commands that are deemed harmful. By using a blacklist and recording user activities, you can dissuade a user from executing such commands.

Command Replacement

You can specify a list of command names along with their replacements. This is useful to replace the execution of potentially harmful commands with their safer equivalents.

Note:

The commands in the command replacement do not support regular expression.

Only the command names are replaced, and the arguments are retained as is. For example, if the command "rm" must be replaced with "rm -i," then the sample input and executed command may be as follows:

Input command: rm importantFile

Executed command: rm -i importantFile

10.3.2 Searching for Usage Policies

Perform the following procedure to search for a Usage Policy:

Select Usage Policies from the Administration accordion.
When the Search Policies portlet is displayed, enter your search criteria into one or more of the following fields:
- Name: Enter all or any part of a policy name.
- Status: Select All (default) from the menu to search for all policies (active and inactive). Select Active or Disabled to limit the search to just active or inactive policies.
Click Search.

The search results are displayed in the Search Results table, which includes the Name and Status.

10.3.3 Viewing Usage Policies

Perform the following procedure to review parameter settings for a Usage Policy:

Select Usage Policies from the Administration accordion.
When the Policies page is displayed, click Search.

The existing policies will be display in the Search Results table.
Use one of the following methods to open a policy:
- Click the row number next to the name of the policy and then click the Open icon located above the Search Results table.
- Click the policy name (an active link) in the Search Results table.
  
  For example, clicking the Default Usage Policy link opens the Usage Policy: Default Usage Policy page.
The Usage Policy page contains four tabs:
- General Fields: This tab contains parameters used to specify general information about the policy.
- Capabilities: This tab contains parameters that are used to control which type of checkouts users can perform, to enable or disable session recording and to configure session access.
- Usage Rules: This tab contains parameters that govern the time zone to be associated with checking out a privileged account, when the account can be checked out, and when the check out expires.
- Grantees: This tab provides information about the grantees who are authorized to use that account.

10.3.4 Modifying the Default Usage Policy

After evaluating the Default Usage Policy, you may want to modify the settings to better suit your environment.

Note:

Oracle recommends that you make a back-up copy of the Default Usage Policy before making any changes. You can use the export command as described in Section A.10.1, "export Command."

To modify the Default Usage Policy, perform the following:

Select Usage Policies from the Administration accordion.
When the Usage Policies page is displayed, click Search to populate the Search Results table.
Select the Default Usage Policy link in the Search Results table to open the Usage Policy: Default Usage Policy page.
Select the General Fields tab, where you can modify the following parameter:

Note:
You cannot edit the Name or Status values for this policy.

Description: Highlight and delete the existing text, and then enter your new description.

Select the Capabilities tab to do the following:

In the Basic Configuration area, you can modify any of the following parameters:

Allow Checkout Type: Use this menu to specify "All," "password," or "session" as the checkout option for this policy. The following are descriptions for these options:

- All (Default): Specify this option to allow users to check out passwords and sessions.

- password: Allow users to only check out passwords.

- session: Allow users to only check out sessions.

The following table lists the Session Checkout Settings that you can view or modify for the All or the Session Checkout option:

Parameter	Description
SCP Configuration	The Enable SCP (Secure Copy) setting displays a blue check mark if you have enabled SCP. Enabling this option enables the user to securely copy files to and from the target.
SSH Configuration	The Enable Interactive Mode and the Enable Non-Interactive Mode settings will display a blue check mark if they have been enabled. If either Interactive Mode or the Non-Interactive Mode is enabled, then in the Command Control List area you can select one of the following options for List Type: None: Command control is not applied in this case. Black List: Select this option to add a command to or remove a command from the black list. To add a command to this list, select Black List under List Type and click Add to insert a new row. In the new row, enter a command using java regular expression syntax in the Command column and click Save. To remove a command from this list, locate and select the command to be removed from the black list and click Remove. White List: Select this option to add a command to or remove a command from the white list. To add a command to this list, select White List under List Type and click Add to insert a new row. In the new row, enter a command using java regular expression syntax in the Command column and click Add. To remove a command from this list, locate and select the command to be removed from the white list and click Remove. The Enable Command Logging option will display a blue check mark if it has been enabled. Enable this flag to enable interactive session transcript. Note: Interactive session transcript is automatically available if the Command Control or Command Replacement option is enabled. In the Command Replacement area, you can specify the command to be replaced with its specified replacement. To do so, click Add to insert a new row. In the new row, enter the command name you want to replace in the Original column and enter the new command in the Replacement column and click Add. Note: The Command Replacement feature only replaces the command name, but retains the arguments. You cannot use regular expression in command replacement.

Parameter

Description

SCP Configuration

The Enable SCP (Secure Copy) setting displays a blue check mark if you have enabled SCP. Enabling this option enables the user to securely copy files to and from the target.

SSH Configuration

The Enable Interactive Mode and the Enable Non-Interactive Mode settings will display a blue check mark if they have been enabled. If either Interactive Mode or the Non-Interactive Mode is enabled, then in the Command Control List area you can select one of the following options for List Type:

None: Command control is not applied in this case.
Black List: Select this option to add a command to or remove a command from the black list.

To add a command to this list, select Black List under List Type and click Add to insert a new row. In the new row, enter a command using java regular expression syntax in the Command column and click Save.

To remove a command from this list, locate and select the command to be removed from the black list and click Remove.
White List: Select this option to add a command to or remove a command from the white list.

To add a command to this list, select White List under List Type and click Add to insert a new row. In the new row, enter a command using java regular expression syntax in the Command column and click Add.

To remove a command from this list, locate and select the command to be removed from the white list and click Remove.

The Enable Command Logging option will display a blue check mark if it has been enabled. Enable this flag to enable interactive session transcript.

Note: Interactive session transcript is automatically available if the Command Control or Command Replacement option is enabled.

In the Command Replacement area, you can specify the command to be replaced with its specified replacement. To do so, click Add to insert a new row. In the new row, enter the command name you want to replace in the Original column and enter the new command in the Replacement column and click Add.

Note: The Command Replacement feature only replaces the command name, but retains the arguments. You cannot use regular expression in command replacement.

Enable Session Recording: Select the enable session recording checkbox when this Usage Policy is applied to a session checkout.

Refer to Section 9.7, "Viewing a Session Recording" for more information about session recordings.

Select the Usage Rules tab to change one or more of following parameter settings:

Parameter Description

Timezone

Parameter	Description
Timezone	Select a time zone from the menu to indicate when the policy will be applied. For example, if you set the time zone to GMT, and the policy allows check-outs between 9am to 5pm, you can only check out between 9am-5pm GMT, and not PST.
Permitted Usage Dates	Use the Monday through Sunday checkboxes and the From and To drop menus to specify when grantees are allowed to use the account. Select one or more days of the week and the periods of time when grantees can access this account. The default access period is `24x7.`
Expiration	Enable one of the following options to change when the grantees' access to the account expires: Automatically check in account. Use the counter to specify the number of minutes after last check out. Automatically check in account on this date. Click the Calendar icon to open a Select Date and Time dialog. Use the month and year menus or click a day in the calendar to specify an expiration date. Use the hours, minutes, and seconds menus and enable the AM or PM buttons to specify an expiration time. Never expire. No expiration period is required for the account. Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts that have passed their specified expiration period and resets them as described in this section. The scheduler makes this check every 60 minutes by default (based on the `policyenforcerinterval` property in the OPAM Global Config configuration entry, whose default setting is `60` `minutes`). You can view and modify the current interval by using Oracle Privileged Account Manager's `getconfig` and `modifyconfig` command line options. For more information, refer to Section A.2.1, "`getconfig` Command" and to Section A.2.3, "`modifyconfig` Command."

Select a time zone from the menu to indicate when the policy will be applied.

For example, if you set the time zone to GMT, and the policy allows check-outs between 9am to 5pm, you can only check out between 9am-5pm GMT, and not PST.

Permitted Usage Dates Use the Monday through Sunday checkboxes and the From and To drop menus to specify when grantees are allowed to use the account. Select one or more days of the week and the periods of time when grantees can access this account. The default access period is 24x7.

Expiration

Enable one of the following options to change when the grantees' access to the account expires:

Automatically check in account. Use the counter to specify the number of minutes after last check out.
Automatically check in account on this date. Click the Calendar icon to open a Select Date and Time dialog.

Use the month and year menus or click a day in the calendar to specify an expiration date.

Use the hours, minutes, and seconds menus and enable the AM or PM buttons to specify an expiration time.
Never expire. No expiration period is required for the account.

Note: The Oracle Privileged Account Manager scheduler periodically checks for accounts that have passed their specified expiration period and resets them as described in this section.

The scheduler makes this check every 60 minutes by default (based on the policyenforcerinterval property in the OPAM Global Config configuration entry, whose default setting is 60 minutes). You can view and modify the current interval by using Oracle Privileged Account Manager's getconfig and modifyconfig command line options. For more information, refer to Section A.2.1, "getconfig Command" and to Section A.2.3, "modifyconfig Command."

Note:

If you are configuring a Usage Policy for a shared privileged account, it is prudent to configure an Automatic check-in option to ensure the account gets checked-in and the password gets cycled in a timely manner.

In addition, consider limiting how many users can access the shared account and further segregate these users by specifying when they can access the account. By specifying which days of the week and what times of the day each user can access the account, you minimize overlapping checkouts and improve Oracle Privileged Account Manager's auditing ability.

For more information about shared accounts, refer to Section 2.4.2, "Securing Shared Accounts."

Select the Grantees tab to view which grantee this policy is assigned to.

Note:
To specify a different Usage Policy for any grantee listed in the table, click the name of the account which is an active link. When the Account page is displayed, select a different policy name from the Usage Policy menu.

Tip:
Clicking the active links in the "Grantee Name" or "Account Name" columns enable you to navigate to other screens to see additional information.
When you are finished editing the policy, click Apply to save your changes.

10.3.5 Creating a Usage Policy

To create a Usage Policy,

Select Usage Policies from the Administration accordion.
When the Policies page is displayed, click Create at the top of the Search Results table.

A new, "Usage Policy: Untitled" page is displayed with three tabs.
Provide the following information on the General tab:
1. Name: Enter a name for the new policy.
2. Status: Click the Active or Disabled button to specify whether the policy status is active or disabled
  
  Making the policy Active puts that policy into effect for the associated accounts and grants.
  
  Disabling a policy applies the Default Usage Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.
3. Description (optional): Enter a descriptive statement about the new policy.
Select the Usage Rules tab to define rules for using a privileged account. Refer to the table in Step 6 of Section 10.2.3, "Modifying the Default Password Policy" for a description of these parameter settings.
Select the Capabilities tab to control the checkout capabilities. Refer to the table in Step 5 of Section 10.3.4, "Modifying the Default Usage Policy" for a description of the Capabilities tab.
Select the Grantees tab to assign the new policy to accounts or grantees. Refer to Section 10.3.6, "Assigning Usage Policies" for detailed instructions.

After assigning this policy, you can select the Grantees tab to review which users or groups are using this policy.
Click Save.

10.3.6 Assigning Usage Policies

When you create a new grant, Oracle Privileged Account Manager automatically assigns the Default Usage Policy to that grant. However, if you have created additional Usage Policies, as described in Section 10.3.5, "Creating a Usage Policy," then you can assign a different policy to the grant.

Note:

Administrators with the User Manager Admin Role can assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

You can assign a different Usage Policy

From the Accounts Page
From the Targets Page
From the Usage Policies Page

Note:

When you add grantees to an account, as described in Section 11.2, "Granting Accounts to Users" or Section 11.3, "Granting Accounts to Groups," Oracle Privileged Account Manager adds the user or group name to the Users or Groups table on the Grants tab and automatically assigns the Default Usage Policy.

From the Accounts Page

To assign a Usage Policy from the Accounts page,

Locate the account where you want to assign the policy.
1. Select Accounts in the Administration accordion.
2. Click Search in the Search Accounts portlet to populate the Search Results table with a list of all available accounts.
  
  To narrow the results or to locate a particular account, enter search criteria in one or more the Search Accounts fields, and then click Search.
Locate the account's Account Name link to open the Account: AccountName page.
Select the Grants tab.
Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.
Click Apply to add your changes.

From the Targets Page

To assign a Usage Policy from the Targets page,

Locate the target where the account is located.
1. Select Targets in the Administration accordion.
2. Click Search in the Search Targets portlet to populate the Search Results table with a list of all available targets.
  
  To narrow the results or to locate a particular target, enter search criteria in one or more the Search Targets fields, and then click Search.
Click the target name of the account (an active link) in the Search Results table to open that target.
When the "Target: TargetName" page is displayed, click the Grants tab to view a list of the grantees currently granted access to that account.

Notice that the table lists the Usage Policy that is currently assigned to each grantee.
Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.
Click Apply to finish assigning the policy to the selected account.

From the Usage Policies Page

To assign a Usage Policy from the Policies page,

Locate the Usage Policy that you want to assign to the account.
1. Select Usage Policies in the Administration accordion.
2. Click Search in the Search Policies portlet to populate the Search Results table with a list of all available Usage Policies.
  
  To narrow the results or to locate a particular policy, enter search criteria in one or more the Search Policies fields, and then click Search.
When the search results display, locate the policy you want to assign. Click the Name link to open the Usage Policy: PolicyName page.
Select the Grantees tab.
Locate the user or group name in the Grantees table and then click the located account name (an active link) of the grantee to open the account.
When the "Account: AccountName" page is displayed, click the Grants tab.
Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.
Click Apply to add your changes.

10.3.7 Deleting Usage Policies

Note:

You cannot delete the Default Usage Policy.

To delete a Usage Policy,

Locate and select the policy to be deleted.
Click the Delete icon.
When the Confirm Remove dialog box is displayed, click the Remove button.

The policy is immediately deleted. If you had any accounts assigned to that policy, they will all revert to using the Default Usage Policy.