Manualshelf

HP 3PAR Policy Server Administrator's Guide (QR483-96003, December 2012)

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
31323334353637383940
HP 3PAR Policy Server 4-10
Tips for Policies
This section provides information about actions that will help you avoid problems.
Avoiding Performance Problems
Make sure only actions that absolutely must have Ask for Approval are defined with that access right.
Policy Server already restricts five actions to only the Always Allow and Never Allow access rights. When
selecting access rights, keep in mind that Ask for Approval means that every time the actions are requested,
the Agent must wait for a response from Policy Server. Until authorized users of the Policy Server
application accept or deny these actions, the Agent must queue them. For frequently requested actions, this
approval cycle may lead to degradation in the system performance.
Avoiding Unexpected Actions from Packages
Granting Always Allow to packages could lead to unwanted actions being performed on an asset. For
example, if the Run Script action has a Never permission, and a Run Package action has an Always
permission, and a script is included in a package, the Agent sees the Run Package action and executes it
automatically (because it has an Always permission). The Agent and the Policy Server do not “see” the
script in the package.
The action of accepting or denying the execution of a package on an asset applies to the entire contents of
the package. If an explicit permission exists for a specific package (name and version), the Agent enforces
the permission on that package as instructed. If an explicit permission does NOT exist for a specific package
(name and version), the Agent examines the contents of the package and processes the package based on the
following rules:
If every action in the package, including rollback actions, has an Always Allow permission, the
Agent processes the entire package.
If any action in the package, including rollback actions, has a Never Allow permission, the agent
denies the package (and sends that as a message to the HP 3PAR Enterprise Server).
If the package contains actions with any combination of Always Allow and Ask for Approval
permissions (with a minimum of one Ask for Approval permission), the Ask for Approval
permissions are aggregated and sent to Policy Server as one permission request. A Policy Server
user then accepts or denies the entire package.
Therefore, if a package contains actions you want to deny on one or more assets, make sure you explicitly
deny those actions or that package version as part of setting up policies for those assets. If you permit the
Agent to accept a package that contains actions you do not want to run on an asset, those actions will be run
because they are in the package and the package was permitted.