Novell Home

Why I Love Effective Policies

Novell Cool Solutions: Feature
By Alan Jex

Digg This - Slashdot This

Posted: 4 May 1999
 

A cool Z.E.N.works feature that's near and dear to my heart (because I helped engineer it) is effective policies. Now, I admit I'm not much of a writer (but I'm a darn good programmer, thank you very much), so I've asked the editors at Cool Solutions to help me write this piece. My hope is that it demonstrates the power of effective policies, or at least clears up any misunderstandings.

What Are Effective Policies?
Policy Associations and Inheritance
Creating a Search Policy
Three Flavors of Effective Policies
Effective Policy Scenario
Viewing Effective Policies

What Are Effective Policies?
If you understand effective rights in NDS, then you already understand effective policies in Z.E.N.works. Think of effective policies as the sum of all of the enabled policies in all policy packages associated directly or indirectly to an object. Just as the effective rights in NDS flow down the tree, policy package associations flow down the tree unless there is an explicit association for an object with a policy package. When the system calculates the effective policies for an object, it starts with all policy packages assigned to that object, and then looks up the tree (by default) for associations made to parent containers.

Policy Associations and Inheritance
You can associate policies to the object itself (User or Workstation), to the group the object is a member of (Group or Workstation Group), or to any container specified in the distinguished name of the object up to the root of the tree. A policy associated to an object takes precedence over a policy associated to a group, which takes precedence over a policy associated to a container. This is according to the default search policy.

For example, suppose the Remote Control Policy is not enabled in a User Policy Package associated with the User object. However, the Remote Control Policy is enabled in the User Policy Package associated with the container where User objects reside. The result is that the enabled Remote Control Policy is the effective policy for the user.

Z.E.N.works looks up the tree for effective policies (assuming that the search order starts at the leaf objects and goes up towards the root of the tree). The first enabled policy it finds wins.

Creating a Search Policy
You can create a search policy to modify the default search policy. This limits which objects Z.E.N.works searches. For example, you may not want to use group membership to determine policies. A search policy can also limit how high in the tree Z.E.N.works searches for effective policies. For example, you might want to search only to the root of a partition for performance reasons.

To create a search policy, follow these steps:

1. Create a Container Package.

2. Enable the search policy (which defaults to object, group, and container in that order).

3. Modify the search policy (Remove Group from the Search Order page or Change Search for policies up to Partition).

4. Associate the search policy to the container that you want to affect.

Three Flavors of Effective Policies
Effective policies in Z.E.N.works come in three kinds:

1. Singular policies

2. Plural policies

3. Cumulative policies

Singular policies let you have only one effective policy at one time. The majority of policies offered in Z.E.N.works are singular policies. The first policy found wins. Examples of singular policies include:

3x Computer System
Computer Printer
Desktop Preferences
User System
Dynamic Local User
Help Desk Policy
Novell Client Configuration
RAS Configuration
Remote Control
Restrict Login
Workstation Import

Plural policies let you have multiple policies per Policy Package. Plural policies are rare. A Scheduled Action is the only plural policy in Z.E.N.works.

Cumulative polices are those that allow multiple policies to be effective when multiple policy packages are associated to the object, group, and container. Cumulative policies are more common than plural policies. Examples of cumulative policies include:

95 Computer System
NT Computer System
Scheduled Action

Effective Policy Scenario
This simple scenario illustrates how an effective policy works. At the end of the scenario, your NDS tree should look like this:

Acme(O)
    Acme WinNT User Package (NT User Policy Package)
    IS(OU)
            Fred(User)
            IS WinNT User Package (NT User Policy Package)

To see effective policies in action (using this context) follow these steps:

1. Create an Organization called Acme with an Organizational Unit called IS.

2. Create a user called Fred in the IS container.

3. Open Details on Fred, choose Effective Policies, choose WinNT Platform, and click the Effective Policies button. The dialog box should indicate that no policies are effective.

4. Create a WinNT User Policy Package called "IS WinNT User Package" in the IS container. Enable Workstation Import. Associate the Policy Package to the IS container.

5. Open Details on Fred, choose Effective Policies, choose WinNT Platform and click the Effective Policies button. The dialog box should indicate that this policy is effective:

Workstation Import

6. Create a WinNT User Policy Package called "Acme WinNT User Package" in the Acme container. Enable Remote Control. Associate the Policy Package to the Acme container.

7. Open Details on Fred, choose Effective Policies, choose WinNT Platform and press the Effective Policies button. The dialog box should indicate that these policies are effective:

Workstation Import
Remote Control

8. Open Details on "IS WinNT User Package". Press Add Action. Name the scheduled action "IS Task 1". Click Add Action again. Name the scheduled action "IS Task 2".

9. Open Details on Fred, choose Effective Policies, choose WinNT Platform and click the Effective Policies button. The dialog box should indicate that these policies are effective:

Workstation Import
Remote Control
IS Task 1
IS Task 2

10. Open Details on "Acme WinNT User Package". Click Add Action. Name the scheduled action "Acme Task 1". Click Add Action again. Name the scheduled action "Acme Task 2".

11. Open Details on Fred, choose Effective Policies, choose WinNT Platform, and click the Effective Policies button. The following policies should be effective:

Workstation Import
Remote Control
IS Task 1
IS Task 2
Acme Task 1
Acme Task 2

Note: The same basic scenario applies to the workstation Effective Policies property page using Workstation Policy Packages.

Viewing Effective Policies
You can view the effective policies for a User or Workstation object to verify you have set up policy package associations as you have intended.

To view effective policies for a User object:

1. Highlight the User object, and then choose Details.

2. Click the Effective Policies property page.

3. Choose a platform and choose the Effective Policies button.

The list of effective policies for the selected User object appears. If you need to make changes to a policy in the list, double-click it.

To view effective policies for a Workstation object:

1. Highlight the Workstation object, and then choose Details.

2. Choose the Effective Policies property page, and then choose the Effective Policies button.

The list of effective policies for the selected Workstation object displays. If you need to make changes to a policy in the list, double-click it.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell