Manualshelf

HP 3PAR Policy Server Administrator's Guide (QR483-96003, December 2012)

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
31323334353637383940
HP 3PAR Policy Server 4-2
What is a Policy?
A policy consists of a set of actions and the permissions for performing them. When first registering with
Policy Server, Agent gateways and Policy Agents send a complete list of their supported actions. Policy
Server is installed with support for all known actions contained in the released version of the HP 3PAR
Enterprise Server. These actions are referred to as "Base actions" and are listed and described in Table 4-1.
Actions in a Base Installation.
By default, most of the base actions are defined with a default permission and the access right, “Ask for
Approval.” Until you change the permission and access right in the Policy Server application, each asset
under management asks the HP 3PAR Policy Server for approval to perform most of the actions defined in
the policy. Policy Server supports new actions (for example, custom actions that may be customer-specific
or asset-specific) by automatically applying a permission of “Ask for Approval”.
Inheriting a Policy
The hierarchy of asset groups exists to support the inheritance of policies. By default all automatically
created asset groups inherit the policy of the Global asset group. You can change this inheritance by creating
your own asset groups, setting policies different than the Global policy for the new groups, and moving
assets to the new groups.
Understanding Permissions
A permission defines how an action is managed through a combination of values for the parameters of the
action, filters, and inheritance. Each action defined in a policy has at least one permission and may have
multiple, related permissions. If you require different policies for asset groups, you can edit the default
permission and create additional permissions for each action.
Some actions take parameters and some do not. For example, the Restart Agent action, which controls
whether or not the asset will perform a requested hard restart, has no specific parameters. As another
example, the Package action, which controls whether or not an asset can accept and execute a Software
Management package from the HP 3PAR Enterprise Server, supports two parameters: the name and the
version of a package.
The Global asset group and its policy define the default permissions for all new asset groups. If you modify
the permissions of the Global policy, any asset groups that currently inherit that policy inherit those changes.
All new asset groups will have the Global policy until you change the policy for the new asset group. Assets
inherit the policy of whatever asset group they belong to.
Important! When adding a permission or action that contains a file name, always use full paths for
permissions and actions. For example, if you set an execute permission for c:\windows\notepad.exe to
Never, then an action that launches c:\windows\notepad.exe, the action is denied and the Policy Agent
or Agent gateway reports, "permission denied." However if you set the action for notepad.exe, then the
permission c:\windows\notepad.exe is NOT a match. In addition, the default permission of Ask will be
applied. If you always use c:\windows\notepad.exe instead of notepad.exe for both permissions and
actions, you will not see this problem.