A Policy Object is a collection of administrative policies that specifies the business rules to be enforced. A Policy Object includes stored policy procedures and specifications of events that activate each procedure.
A Policy Object associates specific events with its policy procedures, which can be built-in procedures or custom scripts. This provides an easy way to define policy constraints, implement sophisticated validation criteria, synchronize different data sources, and perform a number of administrative tasks as a single batch.
Active Roles enforces business rules by linking Policy Objects to:
-
Administrative views (Active Roles Managed Units)
-
Active Directory containers (Organizational Units)
-
Individual (leaf) directory objects, such as user or group objects
By choosing where to link a Policy Object, you determine the policy scope. For example, if you link a Policy Object to a container, all objects in the container and its sub-containers are normally subject to the Policy Object.
You can link different Policy Objects to different containers to establish container-specific policies. You may need to do so if each Organizational Unit uses a dedicated Exchange Server to store mailboxes or file server to store home folders.
You can also link a Policy Object to a leaf object, such as a user object. As an example, consider a policy that prohibits changes to group memberships when copying a certain user object.
Policy Objects define the behavior of the system when directory objects are created, modified, moved, or deleted within the policy scope. Policies are enforced regardless of administrative rights of a user performing a management task. It is important to understand that even those who have administrator rights to Active Roles itself are forced to abide by administrative policies once they are enforced.
The Active Roles Console provides separate wizards for creating Policy Objects both for provisioning and deprovisioning. You can start the wizards from the Administration container, located under Configuration > Policies in the Console tree:
-
To configure provisioning policies, right-click Administration in the Console tree, and select New > Provisioning Policy.
-
To configure deprovisioning policies, right-click Administration in the Console tree, and select New > Deprovisioning Policy.
If you need to manage a large number of Policy Objects, it is advisable to create containers that hold only specified Policy Objects for easy location: In the Console tree, right-click Administration and select New > Container. Then, you can use wizards to create Policy Objects in that container: Right-click the container and select New > Provisioning Policy or New > Deprovisioning Policy.
On the Welcome page of the wizard, click Next. Then, on the Name and Description page, type a name and description for the new Policy Object. The Active Roles Console will display the name and description in the list of Policy Objects in the details pane.
Click Next to continue. This displays a page where you can select the policy you want to configure. The list of policies depends on whether you are creating a Provisioning Policy Object or Deprovisioning Policy Object.
Figure 38: Provisioning policies
On the Policy to Configure page, select the type of policy you want to add to the Policy Object. When the type is selected, its description is displayed in the lower box.
Click Next to configure the policy. The steps involved in configuring a policy depend on the policy type. For more information on how to configure policies, see Policy configuration tasks.
When you are done with configuring a policy, the wizard presents you with a page where you can specify the policy scope. You have the option to complete a list of containers or Managed Units on which you want the policy to be enforced. This step is optional because you can configure the policy scope after creating the Policy Object. For more information, see Applying Policy Objects.
Click Next, and then click Finish to complete the wizard. This creates the new Policy Object.
To create a Policy Object
-
In the Console tree, under Configuration > Policies > Administration, locate and select the folder in which you want to add the Policy Object.
You can create a new folder as follows: Right-click Administration and select New > Container. Similarly, you can create a sub-folder in a folder: Right-click the folder and select New > Container.
-
Right-click the folder, point to New, and then click Provisioning Policy or Deprovisioning Policy.
-
On the Welcome page of the wizard, click Next.
-
On the Name and Description page, do the following:
-
In the Name box, type a name for the Policy Object.
-
Under Description, type any optional information about the Policy Object.
Click Next.
-
On the Policy to Configure page, select a policy type, and click Next to configure policy settings.
-
On the Enforce Policy page, you can specify the objects to which this Policy Object is to be applied:
-
Click Next, and then click Finish.
NOTE: Consider the following when creating Policy Objects: