How SPP evaluates policy when a user submits an access request
An entitlement defines which users are authorized to check out passwords for accounts in the scope of the account's policies. A policy defines scope (that is, which accounts) and the rules for checking out passwords, such as the duration, how many approvals are required, and so on.
It is possible for an account to be governed by more than one entitlement, or is in the scope of more than one policy within an entitlement. When evaluating which policy governs a request to grant access, SPP first determines if the request has Emergency Access and evaluates against only those policies which permit Emergency Access. It then considers the time for which the request is being made and further evaluates against only those policies which have Time Restrictions that permit the request. Finally, if there is a conflict between the remaining policies, it uses Priority to determine which policy should govern the request.
Example scenario:
- Entitlement A (priority 1)
- Policy: Week Day Policy.
- Policy time restrictions: Monday through Friday 08:00 to 17:00.
- Scope: AccountX
- Policy: Week Day Policy.
- Entitlement B (priority 2)
- Policy 1: Sunday AM (priority 1)
- Policy time restrictions: Sunday 08:00 to 12:00.
- Scope: AccountX
- Policy 2: Sunday PM (priority 2)
- Policy time restrictions: Sunday 13:00 to 17:00.
- Scope: AccountX
- Policy 1: Sunday AM (priority 1)
Notice that AccountX is in the scope of all three of these policies.
If a user requests the password for AccountX for Sunday at 16:00, SPP first considers Entitlement A because it is priority 1. When it determines that the policy time restrictions prevent the password release, it then considers Entitlement B.
SPP first considers Entitlement B's priority 1 policy. When it determines that the time restrictions prevent the password release, it then considers Policy 2. Once the request is satisfied, SPP grants the request.
However, if the hours in Entitlement B's Policy 1 were instead 08:00 to 17:00 then Policy 1 would be preferred because it has a higher priority. And if Entitlement B's Policy 2 was instead configured to allow Emergency Access, and the request being made had Emergency Access, then Policy 1 (though it has a higher priority of 1) would be eliminated from the selection and Policy 2 would again be preferred.