Product Documentation
Abstract
A Resource Target in Privilege Manager is a specified set of computers that meet certain criteria. For example, a type of operating system or computer location, that is meant to be used as targets for policies or scheduled tasks. To make a policy apply to a set of computers, you need a resource target that consists of a set of computers and assign that resource target to the policy. In short, you assign the policy to the resource target.
Content
There are several built-in resource targets. For example, All 64-bit Windows Computers with Application Control Agent Installed. You use resource targets when you define policies so that users generally do not need to create custom resource targets. However, there are cases when you do require custom resource targets. This article focuses on creating these user defined resource targets.
The article also discusses collections, which is a concept that is related to resource targets.
In the following section, the term resource target is abbreviated to just target. Resource targets are not the only kind of targets that can be assigned to policies. You can also assign an application filter to a policy to make the policy apply to the application file that is included in the filter.
User defined resource targets
Targets are defined by starting with all known computers. Add filters to narrow down the set.
You create unique targets for all your policies. If you want to create a target that you can reuse across multiple policies, consider the guidelines that are discussed.
Interface to view or create or modify user defined targets
In the Privilege Manager console, select the Admin menu and click More. On the Administration page select Resources. On the Resources page, select the Resource Filters tab, then in the tree go to Resource Filters > Resource Targets > User Defined Targets, and select either MacOS or Windows.
If you already have user defined targets (having created them previously), you will see them listed here. You can modify any of them by clicking the name and then editing the definition.
To create a new target, click Add New on the right, enter a name and description and then click the Create.
Note: A Computer Group, like a Resource Target, is also a specified set of computers. Consider it as another way to refer to Resource Targets. A computer group can be viewed, created, and modified from the Local Security home page. If you create a computer group in Local Security, you see it listed in the User Defined Targets node of the Resource Filters tree. However, in this article we are not referring to the Local Security interface for defining Resource Targets. The focus is to define targets for policies, which is a feature that is related to Application Control.
Target Definition
After you click Create, the target page is displayed. The page provides an interface for defining the target. On the target page, click Edit and make sure you are on the Filter Rules tab. You can add rules to define the target, by using the drop-down fields in the Operation and List Type columns.
Operation
You start with all computers and apply filters to get the desired set. You can apply the following operations:Only Keep Computers in: This is an intersect operation. Only computers in both the current working set and the given list/collection are kept.
Include Computers in: This is an add operation. The computers in the given list or collection are added to the current working set.
Exclude Computers in: This is a subtract operation. Any computers in the excluded list or collection are removed from the current working set.
List Type
Collection: A collection is a predefined list of computers. A collection is often meant to act as a filter and hence is also sometimes referred to as a filter. See Collections.Computer List: This is a fixed list specified for the target being defined.
Group: This is most often used to select a group of computers like an Active Directory Organizational Unit. See Active Directory.
TIP: You can select View Parameters to enter search text to help you find a computer.
Performance considerations
Resource Targets are reevaluated when the scheduled task Collection and Resource Targeting Update runs. This operation is expensive for large numbers of computers. To keep performance high, it is suggested that you keep the overall number of targets to a minimum. Also note that targets with simpler definitions are generally less expensive. Active Directory and Resource Targets
Note: This documentation only covers Active Directory (AD) as it applies to targets and collections. For other information about Active Directory, see Privilege Manager - Active Directory synchronization.
After you create an Active Directory (AD) instance in Privilege Manager, you must import computers or computer records. Go to your Active Directory Instance. Go to Admin > Configuration > Foreign Systems, selecting your domain, then clicking your AD name. Select the Synchronization tab. Run the task Default Import Directory Computers.
After you create an Active Directory (AD) instance in Privilege Manager, you must import computers or computer records. Go to your Active Directory Instance. Go to Admin > Configuration > Foreign Systems, selecting your domain, then clicking your AD name. Select the Synchronization tab. Run the task Default Import Directory Computers.
Note: Default Import Directory Computers imports computers and also imports the Organizational Units (OU) to which they belong. Default Import Directory imports only organization structure and security-related information such as users.
After the task completes, go to Admin > More. Select Resources, then Resource tab. In the navigation tree, browse to Organizational Views > Active Directory Domains > (your AD name). You must be able to see your OUs and computers.
When you build a target, these OUs are what you can select by using the Group option, for List Type.
Note: Changes made in Active Directory are not immediately reflected in Privilege Manager. Run the Default Import Directory Computers task again to import changes. You can search for Default Import Directory Computers, edit the task and add a schedule to automatically import updates. The operation can be long-running for large domains, and consider the frequency that you choose to schedule the import.
Assigning policies to targets
To assign a policy to your target, find the policy on the Policies page and click Edit. If you are using the Simple Policy View, locate the Targets tab. If you are using the Advanced Policy View, find the Conditions tab. You can remove existing targets by clicking the trash icon. Select Add Resource Target, find your target, select it, click Add, and Save.
Collections
A collection is a predefined list of computers. A collection is often meant to act as a filter and hence is also sometimes referred to as a filter.
Collections are typically defined by an SQL query that returns a list of computer IDs or other resource IDs.
Built-in collections are available in Privilege Manager, for example, All x64 Windows Computers and Domain Controllers.
User defined collections are possible but typically expected to be created by Privilege Manager professional services, on behalf of a user. It is not created directly by a user. It is suggested that you define custom targets by using existing built-in collections, groups, and fixed lists instead of creating collections.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
30 April 2019
UID
ibm10880493