Creating a new role-based access control policy

To create a new role-based policy for a new role, we can use the Organizational Administration Console for some subtasks, however, you need to load some of the changes manually through the use of access control policy XML files. The Organization Administration Console allows you to make simple changes to access control policies and their parts. To make more sophisticated changes, you need to edit the XML files directly, and then load them into the database.

Procedure

1. Use the Organizational Administration Console to create an access group for the new role.

2. Use the Organizational Administration Console to create a resource group and assign commands that this role can execute.

3. Use the Organizational Administration Console to create an access control policy with the following parameters:

   1. Specify the new access group created in step 1 as the User Group.

   2. Specify "ExecuteCommandActionGroup" as the Action Group.

   3. Specify the new resource group created in step 2 as the Resource Group.

4. Manually, create an access control XML file for our policy and associate the new policy to a policy group as described in Associating policies with policy groups.

5. Manually, update the XML file created in step 4 to modify the resource-level access control of for the policy as described in Modifying the resource-level access control of an existing policy.

6. After completing the changes to your policy, load the policy into the database.

• Viewing access control policies
  We must have Site Administrator authority to view policies.

• Viewing parent access control policies
  At a given level in the membership hierarchy, the policies that are owned by ancestor organizations are often worth noting. Although any policy belonging to a policy group can be applied to an organization through policy group subscription, it is often the case that policies owned by ancestor organizations are more general in nature and may be worth viewing. We must have Site Administrator authority to view parent policies.

• Creating an access control policy
  We must have Site Administrator authority to create an access control policy.

• Updating access control policies
  Only the Site Administrator can update an access control policy. Note that the access control policy name is a unique field, and duplicate policy names cannot exist in the database. So when the user tries to modify a default access control policy using the Organization Administration Console, the system expects a new name for the new non-default policy that is going to be created. So if the user does not specify a new name, the new non-default policy is not created and the user gets a message to provide a new name for the policy.

• Deleting policies
  We must have Site Administrator authority to delete access control policies.

• Selecting a user group
  We must have Site Administrator authority to select user groups. When creating or updating policies you need to select user groups.