Step 1: Plan the Role and Policies to Create

Administration Guide › Custom Roles and Policies › Restricting Access for a Role: PCI-Analyst Scenario › Step 1: Plan the Role and Policies to Create

Step 1: Plan the Role and Policies to Create

Suppose you want to create a role similar to Analysts, but restrict access to PCI-related reports and queries. Plan a name for the role that describes its function, for example, PCI-Analyst.

Before you begin creating new roles, or application user groups, consider the policies that are required to support the new role. It is a good practice to identify the existing policies that are candidates for use as templates. Under Identities, look for the role that is similar to the one you are planning.

In this example scenario, that role is ug:Analyst. Under Search Policies, check Show policies matching identity, enter the identity, ug:Analyst, and click Go. The policies displayed include those for All Identities and those where ug:Analyst is explicitly named under Identities.

The example policies are all the policies in which the user group Analyst is listed as an identity.

The policy names that include this role follow:

Under Scoping, CALM Application Access
Under Scoping, Analyst Auditor Report Server Access Policy
Under Scoping, Analyst Report View-Edit Policy
Under CALM, Analyst Create-Schedule-Annotate policy

For each of the candidate policies, examine the definition and determine which of the following actions to take:

Add the new role as an identity to which this policy applies. This is the best choice if the policy applies to the new role without change.
This action is appropriate for the following policies in this example:
- CALM Application Access, which defines all identities who can access CA User Activity Reporting Module.
- Analyst Auditor Report Server Access Policy, which defined all identities who can schedule reports and alerts against all available report servers. This role requires no limitation on report servers.
- Analyst Create-Schedule-Annotate policy
Save the policy as a new name and modify its definition.
This action is appropriate for the following policy in this example, where the new copy would include only the new identity and would have an additional filter to limit the read/write access to reports tagged PCI:
- Analyst Report View-Edit Policy