Enterprise Administration Guide › Managing Policies Centrally › How Advanced Policy-based Management Works

How Advanced Policy-based Management Works

Advanced policy-based management lets you store, deploy, and undeploy policy versions, and later check the deployment status, deployment deviation, and deployment distribution.

Advanced policy-based management works in the following way:

1. You create a policy.

   Each policy contains a pair of selang command scripts. The first script is a deployment script and contains a set of selang commands that construct the policy. The second script is an undeployment script and contains commands that are required for undeploying (removing) the policy from the endpoint database.

2. You store policy details in the DMS using either CA Access Control Enterprise Management or the policydeploy utility, and CA Access Control then stores the policy using automatic version-control.

   Policy details include the policy description, deployment and undeployment scripts, and policy dependency.

3. Depending on whether the policy already exists on the DMS, CA Access Control does one of the following:
   • If the policy name does not exist on the DMS, CA Access Control creates the first version of the policy (policy_name#01) and the logical policy object (GPOLICY class), and then adds the policy version as a member of the logical policy.
   • If the policy name already exists on the DMS, CA Access Control creates a new policy version, incrementing the highest found policy version by one and adds the policy version as a member of the logical policy (GPOLICY object).
4. When you decide it is time, you use CA Access Control Enterprise Management or the policydeploy utility to deploy a stored policy to target databases. CA Access Control creates deployment tasks (DEPLOYMENT objects) automatically on the DMS.

   Note: CA Access Control deploys the latest finalized policy version of the stored policy. New policy versions that you create are not sent automatically to assigned hosts. You need to manually upgrade assigned hosts to the latest policy version.

   Note: CA Access Control Enterprise Management automatically deploys the UNAB login and procedures policies after you create them. You can only assign UNAB login and configuration policies to UNAB hosts.

5. CA Access Control creates a deployment package (GDEPLOYMENT object) automatically on the DMS.

   The deployment package groups all the deployment tasks created in the previous step.

6. The DMS sends the deployment tasks to the Distribution Host (DH).
7. The endpoint, which periodically checks for new policy deployment tasks (using policyfetcher), fetches the pending deployment tasks from the DH and executes each rule-the selang commands specified in the deployment script-on the target databases.
8. The endpoint updates the DH with the deployment task status (failed, success), the resultant selang result messages for failed commands, and the policy status on the HNODE.

   Note: If a policy is deployed with errors, you can use Deployment Audit in CA Access Control Enterprise Management to detail the selang output for the failed commands. Otherwise, you need to view the log file on the computer where the policy was deployed with errors.

9. The DH updates the deployment task status and policy status on the DMS, where this information is stored.

Note: UNAB login policies and UNAB config policies do not work in the same way as advanced policy-based management.

More information:

Policy Dependency

Policy Verification

Assignment Paths

How You Control Host Access and Configure UNAB