Set exceptions for a remote action security policy

A remote action security policy can contain exceptions, which allow or deny remote automatic actions for specific source and target nodes. These exceptions override your choices on the General tab.

After you the deploy the remote action security policy to a management server, the management server evaluates the remote automatic actions in incoming messages against the exceptions. It evaluates the exceptions in the order that you specify, and applies the first exception that matches. If no exception matches, the management server allows or denies the action according to your choices on the General tab.

To set exceptions for a remote action security policy

In the remote action security policy editor, click the Exceptions tab.
Click New.... The Exception properties dialog box opens.
Optional. Type a short Description to identify the exception.
Specify source nodes. You can either select specific nodes or node groups, or specify a pattern that matches the names of many nodes or node groups.
- To select specific nodes:
  1. Click Add Nodes .... A dialog box opens that contains a tree of nodes and node groups.
  2. Select individual nodes or node groups. (You can select node groups in this dialog box to quickly add all the individual nodes in that are currently in the group.)
  3. Click OK.
- To select specific node groups:
- 1. Click Add Group .... A dialog box opens that contains a tree of node groups.
  2. Select node groups, and then click OK.
- To specify a pattern to match the names of nodes or node groups:
  1. Click Add Pattern.... The Edit Node / Group dialog box appears.
  2. Type a Matching string. The string can contain any characters and pattern matching expressions. You can type the pattern or insert expressions by clicking the > button, and then clicking Matching expressions. Click one of the expressions that appears.
  3. Click Type to select the whether to apply the match string to node name or node group.
  4. Click OK.
To change an existing match string, click it in the list, and then click Edit....
Click the Target tab, and then specify target nodes. In the same way that you specify source nodes, you can either select specific target nodes or node groups, or specify a pattern that matches the names of many nodes or node groups.
To allow actions if the target node is the same as the node that sent the message, in the Target tab, select the on source node check box.

Normally, if the target node of an automatic-action is the same as the node that is sending the message, the agent runs the action immediately on the node, and the management server receives the action response. However, in some cases the agent does not run the action automatically and the management server is responsible for starting the automatic-action remotely. This can happen, for example, if the action contains variables that the management server must resolve, or if a message passes through the message stream interface on the agent. This check box enables you to allow this type of remote action.
In Policy action choose one of the following options:
- Click Deny to disallow remote automatic actions when the source and target node match the criteria in this exception.
- Click Allow to allow remote automatic actions when the source and target node match the criteria in this exception.
  
  Optional. HTTPS agents run policies that the management server secures using certificates. If someone tampers with an policy or the action that it contains, the policy becomes invalid. To allow remote automatic actions from HTTPS agents only, select the Only certified check box. No remote automatic actions from DCE agents are allowed.
Click OK. You return to the remote action policy editor.
Optional. Add further exceptions. To reorder the exceptions, click an exception in the list, and then click Move Up or Move Down.
Save the policy, and then deploy it to the management server that you want to configure.

Related Topics: