Define and apply security policy

We can protect system resources by defining a security policy. You define a security policy with access control lists (ACLs), protected object policies (POPs), and authorization rules. You apply the security policy to the object representations of those resources in the object space.

We can apply ACLs, POPs, and authorization rules to the same object. The Web Portal Manager, pdadmin command-line interface and the administration API are used to define this policy.

The authorization service makes authorization decisions based on the policies applied to these objects. When a requested operation on a protected object is permitted, the resource manager responsible for the resource implements this operation.

One policy can dictate the protection parameters of many objects. Any change to the security policy affects all objects to which the policy is attached.

• Explicit and inherited policies
  A security policy can be explicitly applied or inherited. The administrator can apply explicit policies only at points in the hierarchy where the rules must change.
• Access control lists
  An access control list (ACL) policy is a set of actions, controls, or permissions. The ACL policy specifies the necessary conditions for a user or group to do operations on a resource.
• Protected object policies
  Protected object policies (POPs) contain additional conditions that must be met before granting access to a user or group.
• Authorization rules
  Define authorization rules to specify additional conditions that must be met before granting access to a resource.

Parent topic: Implementation of a network security policy