Previous Topic: Concealing Hidden Policy ItemsNext Topic: Editing Policies in the Administration Console

Policy GuideHow Policy WorksControlling Policy Changes

Controlling Policy Changes

You need to prevent unauthorized or conflicting changes to user and machine policies. This is especially important if you have multiple administrators (that is, CA DataMinder users with administrative authority). Follow these steps:

  1. Decide who is permitted to edit (or even view) policies. You create policy administrators by the prudent allocation of administrative privileges.
    Policy privileges

    Certain administrative privileges permit users to view and edit policies, and to replicate policy changes to client machines. These are:

    • Policies: Edit policy
    • Policies: Edit the CMS policy
    • Policies: Replicate changes to clients
    • Policies: View policy
  2. Specify which users, groups or machines can be managed by each of your policy administrators. For example, you may want to restrict an administrator’s authority to a specific department or office. To do this, make sure an appropriate management group is assigned to each of your policy administrators.
    Management group

    After assigning the appropriate privileges to your policy administrators, you need to set their management group to control which user policies they can manage. Administrators cannot view or edit user policies that fall outside their management group.

  3. Control which settings and folders within those policies your policy administrators are permitted to edit. To do this, you apply the Enforce and Disable attributes.
    Disable and Enforce attributes

    Any folder and setting can be enforced. This means nobody can edit it in a child policy. Similarly in the user policy, any trigger folder can be disabled. This means CA DataMinder ignores all settings in the folder itself and its subfolders. By using combinations of the Enforce and Disable attributes, you can restrict the folders and settings that an administrator can edit in a child policy. For example, to set up an enterprise-wide Web usage advisory, the primary administrator can enforce the Warning Message folder in the user policy (in the Extensions folder) for the top-level 'Users' group. This means nobody can change the message in any child policy throughout the enterprise.

    Likewise, the primary administrator may choose to disable certain folders in the policy for the top-level ‘Users’ group, for example, some unused capture triggers. If they also enforce these disabled folders, this ensures that nobody can re-enable these triggers in any child policy throughout the enterprise.