beautypg.com

5 locking permissions, 6 removing policy overrides, Locking permissions – HP 3PAR Service Processors User Manual

Page 58: Removing policy overrides

background image

7.14

Working in the Policy Tab

3PAR Secure Service Policy Manager User’s Guide

If any action in the package, including rollback actions, has a Never Allow access right, the

agent denies the package and sends that as a message to the Collector Server.

If the package contains actions with any combination of Always Allow and Ask for

Approval access rights (with a minimum of one Ask for Approval access right), the Ask

for Approval access rights are aggregated and sent to Policy Manager as one permission

request. The Policy Manager user then accepts or denies the entire package.

If a package contains actions you want to deny on one or more devices, make sure you

explicitly deny those actions or that package version as part of creating a permission for those

devices' policies. If you permit the Custodian to accept a package that contains actions you do

not want to run on a device, those actions will be run because they are in the package and the

package was permitted.

7.2.5 Locking Permissions

You can lock permissions from being overwritten in a child's policy. If you want to change a

permission that is locked, you must do so from within the policy in which that permission is

locked. For example, if a permission is locked in the Global policy, you need to open the Global

policy and that permission in order to change the permission's parameters or access right.

Lock permissions from the View or change the policy settings for page in

the Policy tab for a selected group. For each permission that you want to lock, do the

following:

1

Select the Lock check box for the related permissions (

Figure 7-9

).

Figure 7-9. Locking Permissions

2

Click Done.

7.2.6 Removing Policy Overrides

If you want the policy for a child group or specific device to match that of its parent group,

perform the following:

NOTE: The settings for permissions that are locked in a parent's policy (as shown

in the Access Right column) are not selectable in the View or change the

policy settings page.