Testing access control policy changes

Each time you create or modify an access control policy, we must perform certain tests to verify that the policy is working correctly.


Procedure

  1. For each policy that you have created or modified, ensure the following:

    • A user that belongs to the policy's access group is able to take the specified actions on the specified resources. If you have removed authorization to perform an action, you should also test to make sure that the user can no longer perform the action.

    • A user that does not belong to the policy's access group is unable to take the specified actions on the specified resources.

  2. Once you have finished testing all your new and changed policies that are currently in the database, it is a good idea to extract that information into XML files. These files have the same format as the initial access control policy related files: defaultAccessControlPolices.xml, defaultAccessControlPolicies_locale.xml, and ACUserGroup_locale.xml. This step is necessary because changes made using the Organization Administration Console affect only the policy information stored in the database. The XML files that were used to load the default access control policies and their components during instance creation, are not updated automatically. See Extracting policy and access group definitions.


What to do next

After a new policy has been created, the new policy must be assigned into a policy group before it comes into effect. You should assign the new policy to the group that serves the purpose of the policy. For more information about the policy group names, see Default access control policy groups.