Symantec Privileged Access Management

I am searching a solution for a request of a customer. Right now, he uses loginappl to control who can login from any machine. For instance,

auth LOGINAPPL ssh gid(sysadmin) acc(X)

Unfortunately, he cannot use loginappl to control where the login request comes from.

Now, he needs to allow any users connected from a specific host, for instance, hermes via ssh. I think to use a rule like,

authorize TCP ssh uid(*) host(hermes) access(write)

Can these two policies work together to meet the request of the customer? When a ssh request from hermes, it is allowed for any user. When the request from other hosts, loginappl will control.

Thanks

With the limited information that has been provided the loginappl rule will allow access to the host that contains this rule by ssh for a user that is a member of the group (sysadmin). It would not control where the login request comes from.

The TCP rule allows ssh service on the host where this rule resides to access the host 'hermes' for all users.

With the information provided I cannot say for sure it will meet the requests, you may want to look into using HOST class for this this request.

Thanks for your quick reply.

Can you give me an example to create a new host object with Services reference? The document of the host class section gives no example.

The only way I find is give in my question:

-          Define a host

-          Define a TCP

-          auth the TCP to the host.

Thanks