Documentation

POLICY LANGUAGE GUIDE

Suggest Edits

What is policy language?

Security Policy Scripting Language (also referred to as "policy language") is a specialized scripting language used within the BeyondTrust Endpoint Privilege Management (EPM) software used to define policies. Policies are a set of rules, written in this specific syntax, to manage user access and privilege levels within the BeyondTrust platform.

How is policy language useful to my organization?

Use policy language to define detailed security policies to control which users can execute specific commands, applications, or tasks with elevated privileges on a system. Using the scripting language, create security policy files to control:

  • the tasks a user or group of users may perform,
  • the systems from which a task may be submitted, and
  • the systems from which a task may be run,

and determine:

  • when a specific task may be run (day and time),
  • where a task may be run from,
  • if secondary security checks, such as passwords or checksums, are required to run a task, and
  • if one or more supplemental security programs are run before a task is started.

Prerequisites

  • a basic understanding of Unix or Linux system administration
  • some experience with a scripting or other computer language

EPM-UL default policy

EPM-UL is configured with a default policy you can use as a starting point when creating a policy for your organization. This default policy contains the following roles; some are enabled by default, and others you must enable yourself. You can configure these roles to add more users, hosts, and commands to them as described throughout the EPM-UL User Guide.

The policy ends by allowing all users to run any command as themselves without any privilege escalation.

Default policy best practice

We suggest using the Demo role as the starting point for your policy. You can enable or disable any of the roles listed below by setting the corresponding "EnableRole" to true or false.

Policy roles

Demo role

Default: disabled

Allows users in DemoUsers (default all users) to run commands in DemoCommands (default id and whoami) as root on any host in DemoHosts (default all hosts).

Helpdesk role

Default: enabled

Invoking pbrun helpdesk allows any user in HelpdeskUsers (default root) to initiate a help desk menu as root on any host in HelpdeskHosts (default submithost only). The help desk action menu includes a:

  • list of processes (ps -ef),
  • check if a machine is up (ping ),
  • list of current users on the host (who -H), and a
  • display of the host's IP settings (ifconfig -a).

PBTest

Default: enabled

For all users on all hosts, pbrun pbtest allows connectivity and policy checks.

Admin role

Default: enabled

Allows users in AdminUsers (by default root) to run any command on runhosts in AdminHosts (by default only submithost).

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.