Policies tab

The Policies tab displays the defined policies, their Status of enabled or disabled, their Priority, their Last State Change date and time, and their Last Modified date and time.

A policy named Default Policy is defined for all products.

A policy is where Roles are given access (allowable actions, such as: view, read, write, execute, delete, etc.) to resources.

Users are defined to be members of (or to have) a role.

Multiple policies can be enabled at one time.

Policies have a Priority, which is used to apply precedence to determine a role's access to a resource.

Managing policies

A default policy named Default Policy is defined with the product. For example purposes, a role named Test_Admin has been added and given access to all resources in the policy named Default Policy, as seen here:

The resources and roles in the Default Policy may vary for the different products, but the general management tasks are similar.

  • The column labeled Resources lists the resource categories available on this node. Each category can be expanded and collapsed using the [+] and [-] icons next to the category. When expanded, additional categories or resources are listed.
  • Each role is listed as a column, in this example the roles are Users and Test_Admin.
  • Note that an admin role is not listed. The admin user is the special system defined user that has access to all resources. This cannot be changed.
  • Each resource category (or if expanded, each resource) has an indication of the access for the role.

The policy parameters, functions and resource access indicators are as follows:

Item Description
Policy The name of the policy. The policy named Default Policy is defined with the product, the resources and roles may vary for the different products.
Priority The priority of the policy, a number from 1 to 100. The policy priority is used to apply precedence to determine a Role's access to a resource. A lower number priority means a higher precedence.
Resource This column in the table lists the resource categories and, when expanded, the resources and actions that access is granted or denied for each role.
Roles Each role is listed as a column. In this example, the roles are Users and Test_Admin.
Access indicators
The access indicators show whether access is allowed, including possible access from a different priority policy. The indicators are toggled by clicking them with the mouse.
The indicators are as follows:
  • Green check mark. Allow access to this category and all children, or allow access to this resource, or allow access to this action.
  • Grey check mark. Inherent access to a resource or an action based on access to a parent.
  • Red X mark. Do not allow access to the resource category, or do not allow access to a resource, or do not allow access to an action.
    This access indicator is used to not allow access even if lower priority policies (a higher numerical value) allow access. In other words, this overrides lower priority policies access definitions.
  • Grey X mark. Inherent do not allow access to a resource or an action based on access not allowed for a parent.
    This access indicator is used to allow access if lower priority policies (a higher numerical value) allow access. In other words, this uses lower priority policies access definitions.
Save Save the parameters and access indicators for the roles for the policy.
Clear All Reset all access indicators for all roles to a grey X mark.

Example policy priority precedence

In the example Default Policy shown above, the Priority is 50.  Among other access indicators, the Users role has a:

  • Red X mark for the Advanced category
  • Grey X mark for the Devices category.

If this policy is enabled and no other policies were enable, then all user names with the Users role would not be able to access the Advanced or Devices resource category, resources and actions.

If there is another policy with a lower priority, for example 75, that is enabled with the access indicators for the Users role being a:

  • Green check mark for the Advanced category
  • Green check mark for the Devices category.

Then the access for the Users role would include:

  • Do not allow access for the Advanced category, since the higher priority (50) policy has a red X mark (do not allow)
  • Allow access for the Devices category, since the higher priority (50) policy has a grey X mark (use lower priority policy) and the lower priority (75) policy has a green check mark (allow).

This multiple policy priority precedence function of the Security feature is used to create  a layered approach to access control.