Guidelines for a secure object space
To configure a secure object space, use these guidelines.
- Set high-level security policy on container objects at the top of the object space. Set exceptions to this policy with explicit ACL policies, POPs, and authorization rules on objects that are lower in the hierarchy.
- Arrange your protected object space so that most objects are protected by inherited, rather than explicit, ACL policies, POPs, and authorization rules.
Reduce the risk of an error that might compromise the network by simplifying the maintenance of your tree. An inherited security policy lowers maintenance because it reduces the number of ACL policies, POPs, and authorization rules that we must maintain.
- Position new objects in the tree where they inherit the appropriate permissions.
Arrange your object tree into a set of subtrees, where each subtree is governed by a specific access policy. You determine the access policy for an entire subtree by setting explicit ACL policies, POPs, and authorization rules at the root of the subtree.
- Create a core set of ACL policies, POPs, and authorization rules, and reuse these policies wherever necessary.
ACL policies, POPs, and authorization rule policies are a single-source definition. Any modification to the policy impacts all objects associated with the ACL policy, POP, or authorization rule.
- Control user access through the use of groups.
It is possible for an ACL policy to consist of only group entries. Individual user entries are not required in the ACL policy when the users can be categorized into groups instead. Authorization rules can also be written to consider any group memberships of an individual rather than the individual specifically. This feature can reduce the complexity of the rule logic considerably.
Access to an object by individual users can be efficiently controlled by adding users to or removing users from these groups.
Parent topic: Security Verify Access administration