Securing CA NSM › Data Scoping › How Data Scoping Rules are Inherited

How Data Scoping Rules are Inherited

Data Scoping rules are inherited in the following two ways:

• Class inheritance rules are rules defined for a particular class that are inherited by all its subclasses. Rules defined for a particular class override rules from any of its parent classes.

  If no rule is defined for a particular class, the immediate parent overrides any other rules in the class hierarchy. Thus, if you deny Delete access for the ManagedObject class, but allow Delete access for Host, Windows Server computers and Windows 2000 Server, computers can be deleted but a Crossroads_Bridge cannot be deleted.

• Inclusion inheritance rules are rules defined for a particular class that are propagated to the child objects of that class.

  Also, because a Business Process View object has two parents, both of the parents’ rules are checked.

  If there is a rule for the child object, it overrides the rule for the parent object. Thus, a rule defined for a particular subnet has that rule take effect on all objects within that subnet. For example, if you cannot delete subnet a.b.c.0, you are also not able to delete computer a.b.c.14 or a.b.c.16.

If rules are defined for a parent object and a parent class, the class inheritance rules takes precedence over the inclusion inheritance rules. The inclusion inheritance rules are evaluated only if the class inheritance rules do not apply.

Rule propagation is useful for administrating entire subnets or all objects related to a device. If you deny Delete access for Windows computer ABCD, then any agents, Enterprise Management components, or WBEM object for that device cannot be deleted. You do not need to define separate rules.

More information:

How Data Scoping Order of Precedence Rules Are Applied

Rule Performance Issues