HP 3PAR StoreServ 7400 2-node HP 3PAR Policy Server Administrator's G - Page 32
What is a Policy?, Inheriting a Policy, Understanding Permissions
View all HP 3PAR StoreServ 7400 2-node manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 32 highlights
What is a Policy? A policy consists of a set of actions and the permissions for performing them. When first registering with Policy Server, Agent gateways and Policy Agents send a complete list of their supported actions. Policy Server is installed with support for all known actions contained in the released version of the HP 3PAR Enterprise Server. These actions are referred to as "Base actions" and are listed and described in Table 4-1. Actions in a Base Installation. By default, most of the base actions are defined with a default permission and the access right, "Ask for Approval." Until you change the permission and access right in the Policy Server application, each asset under management asks the HP 3PAR Policy Server for approval to perform most of the actions defined in the policy. Policy Server supports new actions (for example, custom actions that may be customer-specific or asset-specific) by automatically applying a permission of "Ask for Approval". Inheriting a Policy The hierarchy of asset groups exists to support the inheritance of policies. By default all automatically created asset groups inherit the policy of the Global asset group. You can change this inheritance by creating your own asset groups, setting policies different than the Global policy for the new groups, and moving assets to the new groups. Understanding Permissions A permission defines how an action is managed through a combination of values for the parameters of the action, filters, and inheritance. Each action defined in a policy has at least one permission and may have multiple, related permissions. If you require different policies for asset groups, you can edit the default permission and create additional permissions for each action. Some actions take parameters and some do not. For example, the Restart Agent action, which controls whether or not the asset will perform a requested hard restart, has no specific parameters. As another example, the Package action, which controls whether or not an asset can accept and execute a Software Management package from the HP 3PAR Enterprise Server, supports two parameters: the name and the version of a package. The Global asset group and its policy define the default permissions for all new asset groups. If you modify the permissions of the Global policy, any asset groups that currently inherit that policy inherit those changes. All new asset groups will have the Global policy until you change the policy for the new asset group. Assets inherit the policy of whatever asset group they belong to. Important! When adding a permission or action that contains a file name, always use full paths for permissions and actions. For example, if you set an execute permission for c:\windows\notepad.exe to Never, then an action that launches c:\windows\notepad.exe, the action is denied and the Policy Agent or Agent gateway reports, "permission denied." However if you set the action for notepad.exe, then the permission c:\windows\notepad.exe is NOT a match. In addition, the default permission of Ask will be applied. If you always use c:\windows\notepad.exe instead of notepad.exe for both permissions and actions, you will not see this problem. HP 3PAR Policy Server 4-2