Policy

Bound to specific users or groups of users.

Bound to all users.

Individual users can be included in or excluded from the policy.

Users cannot be individually included or excluded.

Uses domain-specific rules and rule groups, domain-specific responses and response groups, and global responses.

Uses only global rules and global responses.

Can use variable expressions.

Cannot use variable expressions.

Response

Used in a domain-specific policies.

Used in global or domain-specific policies.

Can be a member of a domain-specific response group.

Can be a member of a domain-specific response group. Global response groups are not supported.

Can use variables-based attributes.

Cannot use variables-based attributes.

Rule

Used in domain-specific policies.

Used in global policies.

Associated with an agent through a realm.

Associated with a specific agent or agent group. The agent or agent group is specified when the global rule is created.

The resource filter is bound to a specific realm (realm filter plus rule filter).

The resource filter is absolute (that is, not bound to a realm).

Fires only for resources defined within a specific domain.

Fires for resources defined within any domain that has global policy processing enabled.

Can be defined as an access rule or an event rule.

Can be defined as an event rule only (authentication and authorization events).

Can be a member of a domain-specific rule group.

Can be a member of a domain-specific rule group. Global rule groups are not supported.

All

Created by domain administrators in the context of the specific domain.

Created by system administrators at the system level.