Command Control Policies

Command Control offers Administrators the ability to limit commands that can be executed via a whitelist or blacklist in both Windows and Unix remote in-browser sessions.

In addition to the command restrictions themselves, Command Control can also place restrictions on command Arguments and what can, cannot or is required to be “piped” to commands.

Special forbidden sequences and meta-commands are run under Command Control policies.

Create Command Control Policies

Any user who has been granted the global System Administrator role may access and modify the Command Control policies, located at Administration > Command Control.

To create a new policy, navigate to Administration > Command Control and click the Create button. 

Create your policy by entering the values as required.

Name

Enter a unique, but descriptive name of your policy.

When applying the policy, the user will be selecting your policy by name only from a dropdown menu.

Description

Enter a description for your policy.

Control Type

Select either Whitelist or Blacklist.

 

Next, click the Add Command button to begin configuring your white- or blacklist policy.

Command

Enter the command to be included in this policy.

Add/Remove Argument

Optionally, add or remove argument(s) to be included with the command.

Type

Select the Include or Exclude option that will pertain to the above argument.

 

For example, if you want to restrict commands for your Cisco device so that the user may only execute show version (i.e. whitelist), the following configuration can be used:

Command

show

Add/Remove Argument

version

Type

Include

You may repeat the process to add additional commands to this policy or click Save to complete the policy creation.

Edit or Delete Command Control Policies

To edit or delete an existing policy, navigate to Administration > Command Control and click the Edit or Delete button next to your desired policy.

If editing a policy, be sure to click the Save button when you are finished with your modifications.

Apply Command Control Policies

Command Control policies are applied to Record Types or individual Records to ensure user commands are limited when remote sessions are active.

Apply Policies to Record Types

Applying the Command Control policy to a Record Type allows for the policy to be inherited down to all records that make use of this type. To apply the policy to a Record Type:

 

  1. Navigate to Administration > Record Type and click the Edit button for the desired Record Type.

  2. On the Record Type’s Edit page, click the Command button.

  3. On the Command Control page, click the Add button.

  4. Enter a principal(s) that should have the policy applied and then click the Add button.

  5. Select the desired policy by name from the Command Control dropdown menu.

  6. Click the Select button to apply the policy.

  7. Review the policy as configured and finally click the Save button to apply it to the Record Type.

    To remove a policy, select the applied Policy by checking the box to its left and then clicking the Remove button.

    Finally, click the Save button to finalize the update.

Apply Policies to Records

 

Applying the Command Control policy to an individual Record allows for the policy to be relevant for a specific host or user rather than for all hosts.

 

To apply the policy to a Record:

  1. Navigate to the record and choose the option Manage > Command Control.

  2. If the inheritance is not already broken, then click the Make Unique button.

  3. On the Command Control page, click the Add button.

  4. Enter a principal(s) that should have the policy applied and then click the Add button.

  5. Select the desired policy by name from the Command Control dropdown menu.

  6. Click the Select button to apply the policy.

  7. Review the policy as configured and finally click the Save button to apply it to the Record.

    To remove a policy, select the applied Policy by checking the box to its left and then clicking the Remove button.

    Finally, click the Save button to finalize the update.