McAfee EPOCDE-AA-BA Product Guide - Page 166
How policy assignment rules work, Policy assignment rule priority, Policy ownership
View all McAfee EPOCDE-AA-BA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 166 highlights
15 Using policies to manage products and systems How policy assignment rules work Policy ownership All policies for products and features to which you have permissions are available from the Policy Catalog page. To prevent any user from editing other users' policies, each policy is assigned an owner - the user who created it. Ownership provides that no one can modify or delete a policy except its creator or a global administrator. Any user with appropriate permissions can assign any policy in the Policy Catalog page, but only the owner or a global administrator can edit it. If you assign a policy that you do not own to managed systems, be aware that if the owner of the named policy modifies it, all systems where this policy is assigned receive these modifications. Therefore, if you wish to use a policy owned by a different user, McAfee recommends that you first duplicate the policy, then assign the duplicate to the desired locations. This provides you ownership of the assigned policy. You can specify multiple non-global administrator users as owners of a single policy. How policy assignment rules work Policy assignments rules reduce the overhead of managing numerous policies for individual users or systems that meet specific criteria, while maintaining more generic policies across your System Tree. This level of granularity in policy assignment limits the instances of broken inheritance in the System Tree needed to accommodate the policy settings that particular users or systems require. Policy assignments can be based on either user specific or system specific criteria: • User-based policies - Policies that include at least one user specific criteria. For example, you can create a policy assignment rule that is enforced for all users in your engineering group. You can then create another policy assignment rule for members of your IT department so they can log on to any computer in the engineering network with the access rights they need to troubleshoot problems on a specific system in that network. User based policies can also include system based criteria. • System-based policies - Policies that include only system based criteria. For example, you can create a policy assignment rule that is enforced for all servers on your network based on the tags you've applied, or all systems in a specific location in your System Tree. System based policies cannot include user based criteria. Policy assignment rule priority Policy assignment rules can be prioritized to simplify maintenance of policy assignment management. When you set priority to a rule, it is enforced before other assignments with a lower priority. In some cases, the outcome can be that some rule settings are overridden. For example, consider a user or system that is included in two policy assignment rules, rules A and B. Rule A has priority level 1, and allows included users unrestricted access to internet content. Rule B has priority level 2, and heavily restricts the same user's access to internet content. In this scenario, rule A is enforced because it has higher priority. As a result, the user has unrestricted access to internet content. 166 McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide