To add a policy to a Policy Object
- In the console tree, under Configuration | Policies | Administration, locate and select the folder that contains the Policy Object you want to modify.
- In the details pane, right-click the Policy Object, and then click Properties.
- On the Policies tab, click Add to start a wizard that helps you configure a policy.
- On the Welcome page of the wizard, click Next.
- On the Policy to Configure page, select the type of the policy you want to add.
- Configure policy settings. For instructions, see Policy configuration tasks.
|
NOTE:
- The Policies tab lists the policies that are configured in the Policy Object. You can use the Policies tab to add, modify, or delete policies from the Policy Object.
- Active Roles processes policies in the order they are listed on the Policies tab. To change the order, select a policy and click or to move the policy up or down in the list.
- Once a Policy Object is applied within Active Roles to determine policy settings in the directory, any changes to the list of policies in the Policy Object causes the policy settings in the directory to change accordingly.
|
To view or modify a policy in a Policy Object
- In the console tree, under Configuration | Policies | Administration, locate and select the folder that contains the Policy Object you want to examine.
- In the details pane, right-click the Policy Object, and then click Properties.
- On the Policies tab, select the policy you want to view or modify, and click View/Edit.
- Use the tabs in the Policy Properties dialog box to view or modify policy settings.
The tabs in the Policy Properties dialog box provide the same options as the wizard for configuring the policy. See Policy configuration tasks for information about the options specific to each type of policy.
|
NOTE:
- The Policies tab lists the policies that are configured in the Policy Object. You can use the Policies tab to add, modify, or delete policies from the Policy Object.
- Active Roles processes policies in the order they are listed on the Policies tab. To change the order, select a policy and click or to move the policy up or down in the list.
|
To delete a policy from a Policy Object
- In the console tree, under Configuration | Policies | Administration, locate and select the folder that contains the Policy Object you want to modify.
- In the details pane, right-click the Policy Object, and then click Properties.
- On the Policies tab, select the policy you want to delete, click Remove, and then click Yes to confirm the deletion.
|
NOTE:
- The Policies tab lists the policies that are configured in the Policy Object. You can use the Policies tab to add, modify, or delete policies from the Policy Object.
- Once a Policy Object is applied within Active Roles to determine policy settings in the directory, any changes to the list of policies in the Policy Object causes the policy settings in the directory to change accordingly.
|
Implementing a policy to enforce business rules is a two-phase process where configuring the policy within a Policy Object is only the first step. When you create a new policy, you select a policy type from the available options and then define the options that make up the policy. The second step is to use the Active Roles console to enforce the policy on the desired areas of the directory.
Active Roles allows policies to be enforced on any directory object—an administrative view (Managed Unit), a directory folder (container), or an individual (leaf) object. Policies are enforced by applying (linking) a Policy Object that holds the policies.
When you apply a Policy Object to a Managed Unit or directory folder, the policies control the objects in that Unit or folder as well as the Unit or folder itself. When you apply a Policy Object to a leaf object, such as a user or group, the policies only control that object. For example, applying a Policy Object to a group does not affect the members of the group.
The objects that are subject to a given Policy Object, that is, the objects under control of the policies defined in that Policy Object, are collectively referred to as policy scope. For example, if you apply a Policy Object to a Managed Unit, the policy scope is composed of the objects within the Managed Unit.
Thus, the policy scope normally includes all objects that reside in a container or Managed Unit to which the Policy Object is applied. However, sometimes you may need to exclude individual objects or sub-containers from the policy scope, thereby preventing certain objects from being affected by policies.
Active Roles gives you the option to selectively exclude objects or entire containers from the policy scope. You can block policy inheritance on individual objects or containers, refining the policy scope. The option to block policy inheritance is discussed later in this section (see Managing policy scope).
To apply a Policy Object, you can start from any of the following points:
- Policy Object. Add Managed Units or containers to the policy scope of the Policy Object.
- Directory object. Add the Policy Object to the policy list for the directory object.
The following two sections elaborate on each of these options.