Resource Targets and Collections

A Resource Target in Privilege Manager is a specified set of computers that meet certain criteria (e.g., type of operating system or location of the computers), meant to be used as targets for policies or scheduled tasks. To make a policy apply to a certain set of computers, you need a resource target comprising that set of computers and assign that resource target to the policy (or, to state it differently, assign the policy to the resource target).

There are several built-in resource targets (for example, "All 64-bit Windows Computers with Application Control Agent Installed") that can be used when defining policies so that users generally do not need to create custom resource targets. However, there are cases when the latter is needed and, toward that end, this article focuses on user defined resource targets.

If you need to modify any items within Privilege Manager, duplicate the item and modify the duplicate instead of the built-in item so that an upgrade does not overwrite it.

This topic also briefly touches upon collections, a concept related to resource targets.

Resource targets are not the only kind of targets that can be assigned to policies; one could also assign an application filter to a policy to make the policy apply to the application file included in the filter.

User Defined Resource Targets

Targets are defined by starting with all known computers and then adding filters to narrow down the set (and after an initial narrowing down, if needed, expand it in some way).

You could create unique targets for all your policies, but if you want to create a target to be reused across multiple policies, it will be more practical to follow these steps.

Interface to View or Create/Modify User Defined Targets

In the Privilege Manager console, navigate to Admin | Resources . On the Resources page select the Resource Filters tab, then in the tree go to Resource Filters | Resource Targets | User Defined Targets, and select either macOS or Windows.

If you already created user defined targets, you see them listed here and can modify any of them by clicking the name and then editing the definition.

Performance Considerations

Resource Targets are reevaluated when the scheduled task Collection and Resource Targeting Update runs. This operation is expensive for large numbers of computers. To keep performance high we suggest that you keep the overall number of targets to a minimum. Also note that targets with simpler definitions are generally less expensive.

After you have created an Active Directory (AD) instance in Privilege Manager, you need to import computers (computer records, to be more precise).

  1. Navigate to Admin | Configuration | Foreign Systems.

  2. Select your AD instance and navigate to the Synchronization tab.

    1. Under Import select which objects you want to import from your AD instance.

      • If you select Computers, the default import task also imports the Organization Units (OU) to which the computers belong.

      • If you select LDAP query, enter the query in the text field.

    2. Under Connectivity select your import path. Import either directly from the server (as long as a domain controller can be reached on the network) or by using an on-premises computer running the Directory Services Agent (AD).

  3. Click Save.

After the task completes, navigate to Admin | Resources, select the Resource tab. In the tree under Organizational Views | Active Directory Domains | (your AD name), you should be able to see your OUs and computers.

These OUs are what you can select using the "Group" option, for "List Type", when building a target.

Changes made in AD are not immediately reflected in Privilege Manager. Setup scheduled tasks to periodically import changes. The operation can be long-running for large domains, so be careful about the frequency with which you schedule the import.

Assigning Policies to Targets

To assign a policy to your target or better to add your target to a policy, find the policy on the Policies page and edit the Policy Details. Use the Add and Edit options to modify your policy.

Refer to the Application Policies to review details about Policy Administration.

Collections

A collection is a predefined list of computers. A collection is often meant to act as a filter and hence is also sometimes referred to as a filter.

Collections are typically defined by an SQL query that returns a list of computer IDs or other resource IDs.

Built-in collections are available in Privilege Manager, for example, "All x64 Windows Computers" and "Domain Controllers."

User defined collections are possible but typically expected to be created by Privilege Manager professional services, on behalf of a user, rather than directly by a user. Users are encouraged to define custom targets using existing (built-in) collections, groups, and fixed lists rather than creating new collections.