5 locking permissions, 6 removing policy overrides, Locking permissions – HP 3PAR Service Processors User Manual
Page 58: Removing policy overrides
7.14
Working in the Policy Tab
3PAR Secure Service Policy Manager User’s Guide
■
If any action in the package, including rollback actions, has a Never Allow access right, the
agent denies the package and sends that as a message to the Collector Server.
■
If the package contains actions with any combination of Always Allow and Ask for
Approval access rights (with a minimum of one Ask for Approval access right), the Ask
for Approval access rights are aggregated and sent to Policy Manager as one permission
request. The Policy Manager user then accepts or denies the entire package.
If a package contains actions you want to deny on one or more devices, make sure you
explicitly deny those actions or that package version as part of creating a permission for those
devices' policies. If you permit the Custodian to accept a package that contains actions you do
not want to run on a device, those actions will be run because they are in the package and the
package was permitted.
7.2.5 Locking Permissions
You can lock permissions from being overwritten in a child's policy. If you want to change a
permission that is locked, you must do so from within the policy in which that permission is
locked. For example, if a permission is locked in the Global policy, you need to open the Global
policy and that permission in order to change the permission's parameters or access right.
Lock permissions from the View or change the policy settings for
the Policy tab for a selected group. For each permission that you want to lock, do the
following:
1
Select the Lock check box for the related permissions (
Figure 7-9. Locking Permissions
2
Click Done.
7.2.6 Removing Policy Overrides
If you want the policy for a child group or specific device to match that of its parent group,
perform the following:
NOTE: The settings for permissions that are locked in a parent's policy (as shown
in the Access Right column) are not selectable in the View or change the
policy settings page.