Administration Guide › Custom Roles and Policies › Guidelines for Creating Policies

Guidelines for Creating Policies

All CALM access policies and scoping policies state the actions that are granted or denied to specific identities on specific resources. Policies for the CALM resource class grant or deny specified identities the ability to perform actions on application resources, also known as CALM resources. Policies for the SafeObject resource AppObject grant or deny specified identities write and read actions on an application-level resource, as indicated in the filters. Other policies for the SafeObject resource class grant or deny specified identities write and read actions on global resources.

The type of policy or policies you create depends on the resource to which you want to limit access. A summary of the policy requirements by resource follows:

• Resources requiring a CALM policy and scoping policies for AppObject
  • Event Forwarding
  • Event Grouping
  • Integration (non-agent)
  • Profile
  • Report
• Resources requiring only a CALM policy
  • AgentAuthenticationKey
  • AgentConfiguration
  • Alert
  • ALL_GROUPS
  • Connector
  • Database
  • Integration (agent-related)
  • Tag
• Resources requiring only scoping policies for the global resource
  • Calendar
  • Folder
  • GlobalUser
  • GlobalUserGroup
  • iPoz
  • Policy
  • User
  • UserGroup

The following guidelines highlight the differences in the approaches for creating policies, where differences are based on the resources you want to control.

To control access to EventForwarding, EventGrouping, Integration, Profile, and Report

The following approach applies only to policies on the CALM resources, EventGrouping, Integration, Profile, and Report. These application resources require a CALM policy and two scoping policies.

1. Create a CALM policy for one or more application resources such as Report or Integration. Specify one or more application-specific actions that are valid for the specified resources such as create, schedule, or annotate. Add the Identities to which the actions are granted or denied.
2. Create a companion scoping policy on the AppObject resource with both read and write actions. Specify the write action to let the identity edit or delete the resource, but not create it. Specify the read action to let the identity display or view the resource. Create a filter that ties back the AppObject resource to the related application resource. Specify in the filter the EEM folder path that stores the content for the specified resource or is a module for which access is required for the related application resource. Add the same Identities to this policy that you added to the related CALM policy.
3. Create a second companion scoping policy on the AppObject resource with the read action. Specify the read action to let the identity display or view the resource. Create a filter that ties back the AppObject resource to the related application resource. Specify in the filter the EEM folder path that stores the content for the specified resource or is a module for which access is required for the related application resource. Add lower-privileged users or user groups as Identities to this policy.

To control access to Alert, Database, Tag, and agent-related resources

The following approach applies to application resources that require only a CALM policy to grant or restrict access.

• Create a CALM access policy for a resource such as Connector or Tag. Specify the edit action to let the identity create, edit, and delete the resource and take any other valid action. Add the Identities to which this action is granted or denied.

  Note: Access to agent-related resources makes available the buttons from the Agent Explorer folder or its subfolders on the Log Collection subtab of the Administration tab. Access to the Alert resource lets the Identity access the Alerts tab. Access to the Tag resource lets the identity create a Tag for a custom query or report. Access to Database lets the Identity run an archive query.

To control access to global resources used in the CAELM application

The following approach applies to global resources, which require only a scoping policy to limit access.

1. Create a scoping policy for one or more global resources such as User or Policy. Specify the write action to let the identity create, edit, or delete the resource. Add the Identities to which this action is granted or denied.
2. Create a scoping policy for one or more global resources such as User or Policy. Specify the read action to let the identity view the global resource. Add the Identities to which this action is granted or denied.

   Note: Global resources are available with buttons on the User and Access Management subtab of the Administration tab.

More information:

CALM Access Policy Types

Resources and Actions

CALM Resources and EEM Folders

Global Resources and CA EEM Functionality

Create a CALM Access Policy