To view or modify a policy in a Policy Object
The tabs in the Policy Properties dialog box provide the same options as the wizard for configuring the policy. See Policy configuration tasks for information about the options specific to each type of policy.
To delete a policy from a Policy Object
Implementing a policy to enforce business rules is a two-phase process of which configuring the policy within a Policy Object is only the first step. When you create a new policy, you select a policy type from the available options and then define the options that make up the policy. The second step is to use the Active Roles console to enforce the policy on the desired areas of the directory.
Active Roles allows policies to be enforced on any directory object—an administrative view (Managed Unit), a directory folder (container), or an individual (leaf) object. Policies are enforced by applying (linking) a Policy Object that holds the policies.
When you apply a Policy Object to a Managed Unit or directory folder, the policies control the objects in that Unit or folder as well as the Unit or folder itself. When you apply a Policy Object to a leaf object, such as a user or group, the policies only control that object. For example, applying a Policy Object to a group does not affect the members of the group.
The objects that are subject to a given Policy Object, that is, the objects under control of the policies defined in that Policy Object, are collectively referred to as policy scope. For example, if you apply a Policy Object to a Managed Unit, the policy scope is comprised of the objects within the Managed Unit.
Thus, the policy scope normally includes all objects that reside in a container or Managed Unit to which the Policy Object is applied. However, sometimes there is a need to exclude individual objects or sub-containers from the policy scope, thereby preventing certain objects from being affected by policies.
Active Roles gives you the option to selectively exclude objects or entire containers from the policy scope. You can block policy inheritance on individual objects or containers, refining the policy scope. The option to block policy inheritance is discussed later in this section (see Managing policy scope later in this chapter).
To apply a Policy Object, you can start from any of the following points:
The following two sections elaborate on each of these options.
You can add administrative views (Managed Units) and directory folders (containers) to the policy scope of a given Policy Object in these ways:
In both cases, clicking Add displays the Select Objects window where you can select containers and Managed Units. To build a list of containers from which to select, click the Browse button and select Active Directory or a container in the hierarchy under Active Directory. The list looks similar to the following figure:
Figure 26: Policy objects
To build a list of Managed Units from which to select, click the Browse button and select Managed Units or a container in the hierarchy under Managed Units. The list looks similar to the following figure:
Figure 27: Managed units
In the Select Objects window, select containers or Managed Units from the list and click the Add button to build the resultant list of items. When finished, click OK.