Locking permissions, Removing policy overrides, Locking permissions removing policy overrides – HP 3PAR Policy Manager Software User Manual
Page 31
access right, and a Package action has an Always Allow access right, and a script is created in
a package, the package permission supersedes that script’s access right. The Custodian sees the
Package action and executes it automatically (because it has an Always Allow access right). The
Custodian and Policy Manager do not see the script in the package.
The action of accepting or denying the execution of a package on a device applies to the entire
contents of the package. If an explicit access right exists for a specific package (name and version),
the Custodian enforces the permission on that package as instructed. If an explicit access right
does not exist for a specific package, the Custodian examines the contents of the package and
processes the package based on the following rules:
•
If every action in the package, including rollback actions, has an Always Allow access right,
the Custodian processes the entire package.
•
If any action in the package, including rollback actions, has a Never Allow access right, the
agent denies the package and sends that as a message to the Collector Server.
•
If the package contains actions with any combination of Always Allow and Ask for Approval
access rights (with a minimum of one Ask for Approval access right), the Ask for Approval
access rights are aggregated and sent to Policy Manager as one permission request. The
Policy Manager user then accepts or denies the entire package.
If a package contains actions you want to deny on one or more devices, make sure you explicitly
deny those actions or that package version as part of creating a permission for those devices'
policies. If you permit the Custodian to accept a package that contains actions you do not want
to run on a device, those actions will be run because they are in the package and the package
was permitted.
Locking Permissions
You can lock permissions from being overwritten in a child's policy. If you want to change a
permission that is locked, you must do so from within the policy in which that permission is locked.
For example, if a permission is locked in the Global policy, you need to open the Global policy
and that permission in order to change the permission's parameters or access right.
Lock permissions from the View or change the policy settings for
tab for a selected group. For each permission that you want to lock, do the following:
1.
Select the Lock check box for the related permissions (
).
Figure 24 Locking Permissions
2.
Click Done.
NOTE:
The settings for permissions that are locked in a parent's policy (as shown in the
Access Right column) are not selectable in the View or change the policy settings page.
Removing Policy Overrides
If you want the policy for a child group or specific device to match that of its parent group, perform
the following:
•
On the View or change the policy settings for
Policy.
Any permission settings specific to the policy open in this page are removed. All permission settings
are replaced with those defined for the parent's policy. The next time the device contacts the server,
it receives this updated policy.
Working in the Policy Tab
31