STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NDM Security Technical Implementation Guide

V-284522

CAT I (High)

The Ivanti Policy Secure must be configured to map group definitions to role assignments for administrators based on access authorizations.

Rule ID

SV-284522r1244928_rule

STIG

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001499CCI-000213CCI-001368CCI-002111CCI-000163CCI-000164CCI-001493CCI-001494CCI-001495CCI-002130CCI-001199CCI-000213

Discussion

Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable nonauthorized users to make changes to software libraries, audit tools, and system software, these changes could be implemented without undergoing testing, validation, and approval. Satisfies: SRG-APP-000133-NDM-000244, SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000231-NDM-000271

Check Content

1. In the Ivanti Policy Secure Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
2. Click the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins.
3. View the "Role Mapping" tab. 

If there are not two group definitions to Role Assignments for Admin and Read-Only, this is a finding.

Fix Text

Configure the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins.

1. In the Ivanti Policy Secure Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
2. Select the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins.
3. Click "Role Mappings".
4. Click "New Rule".
5. Click "Rule Based" on Group Membership".
6. Click "Update".
7. Type a name for the admin group.
8. Under available groups, select the LDAP group for admins (e.g., "ivanti.admins.gsg"). If no groups currently exist in the window, click "Groups" and add the group from the LDAP directory window that pops up.
9. Under "Available Roles", select ".Administrators".
10. Click "Save Changes".
11. Click "New Rule".
12. Click "Rule Based" on "Group Membership".
13. Click "Update".
14. Type a name for the read-only group.
15. Under available groups, select the LDAP group for nonadmins (e.g., "ivanti.ROadmin.gsg"). If no groups currently exist in the window, click "Groups" and add the group from the LDAP directory window that pops up.
16. Under "Available Roles", select ".Read-Only Administrators".
17. Click "Save Changes".