Administration Guide › Custom Roles and Policies › Configuring Custom User Roles and Access Policies › Create a Scoping Policy
Create a Scoping Policy
You can create a scoping policy on any global resource. Actions on scoping policies are limited to read and write.
- The following global resources are used by many CA products (applications):
- Calendar
- GlobalUser
- GlobalUserGroup
- iPoz
- Policy
- User
- UserGroup
- AppObject
- The global resource, AppObject, lets you create scoping policies on application-specific resources and modules. You do this by adding a filter that designates the relevant EEM folder where the application-specific content or module is stored.
- EEM content folders you can use in filters with the AppObject resource include the following:
- EventGrouping
- Integration (Server)
- Profile
- Report
- CA Enterprise Log Manager module folders you can use in filters with the AppObject resource include the following:
- Event Log Store
- Report Server
- Subscription
You can create a policy from scratch if no policy exists from which you can leverage the settings. If you are creating a scoping policy associated with a CALM policy you have created, specify the same identities as those in the related CALM policy.
Only Administrators can create, edit, delete, and view access policies.
To create a new explicit grant scoping policy
- Click the Administration tab and the User and Access Management subtab.
- Click Access Policies.
- Click the New Scoping Policy button to the left of the Scoping Policies folder.
- Create a meaningful name for the policy. For example, include the role or roles to which it applies and the tasks that are scoped. View the names of the predefined policies for examples of how this standard can be used.
- Enter a short description that more fully describes what the more cryptic name implies.
- Typically, you will accept SafeObject as the resource class name.
- Select Type in the General panel according to the following criteria:
- If the policy type is access policy or access control list, use the Identities area to select the users or groups to which this policy applies.
- Select Application Group for Type, click Search Identities, and click Search.
- Select identities from those available and click the Move button to move them to the Selected Identities box.
- If the policy type is access policy, all actions are selected for all resources by default. To customize this, complete access policy configuration as follows:
- Select a resource from the Add resource drop-down list and click Add.
- Select AppObject if the resources to which read or write access is to be configured are CA Enterprise Log Manager-specific resources.
- Select User and GlobalUser for access to Users buttons on the Administration tab, User and Access Management subtab.
- Select UserGroup and GlobalUserGroup for access to Groups buttons on the Administration tab, User and Access Management subtab.
- Select Policy for access to the Access Policies, EEM Folders, and Test Policies buttons on the Administration tab, User and Access Management subtab.
- Select Calendar for access to the Calendars button on the Administration tab, User and Access Management subtab.
- Select iPoz for access to the Password Policy and User Store buttons on the Administration tab, User and Access Management subtab.
- Select read to grant/deny view access; select write to grant/deny edit access. If you select neither, all actions are selected.
Note: To grant/deny create access, you must define a CALM access policy and select CA Enterprise Log Manager resources individually.
- Add a generic filter that applies to the selected resources, if needed.
- If the policy type is access control list, complete access control list configuration as follows:
- Select a resource from the Add resource drop-down list and click the Add (+) button.
- Select read, write, or both for Actions.
- Click the Edit Filters button to open the filter form. Create a filter for the associated resource by selecting or entering values for the Left type/value, Operator type/value, and Right type/value.
- If the filter includes a resource name as a value, select the check box labeled Treat resource names as regular expressions. Otherwise, leave this check box cleared.
Important! Define one policy for each resource/filters combination.
- If the policy type is identity access control list, complete the identity access control list configuration as follows:
- For Type, select one of the displayed options. For example, select Application Group, click the Search Identities link, and click the Search button to display the members of the type you selected.
- Select the identities and click the move button to populate the Selected Identities pane.
- For each identity selected, specify read or write or both.
The identity-specific actions apply to all the selected resources. That is, a given identity can view, view and edit, or just edit all of the selected resources.
- Add the resources to which the identity-specific actions are to be granted or denied.
- Review the check boxes and select any that apply:
- Select Explicit Deny to change the policy from one that grants access to one that denies access
- Select Disabled to inactivate this policy temporarily, if new.
- Select Pre-Deployment and then select Assign Labels and add the labels if using this policy for testing purposes and you want to categorize the policies with custom labels.
- Click Save and then click Close on the left pane.
More information:
Step 3: Create Win-Admin System Access Policy