Secure > Authorization > Customize default access control policies > Examples: Customizing access control policies using the Organization Administration Console

Create a new role-based access control policy

To create a new role-based policy for a new role, you can use the Organizational Administration Console for some subtasks, however, load some of the changes manually through the use of access control policy XML files. The Organization Administration Console allows you to make simple changes to access control policies and their parts.

To make more sophisticated changes, edit the XML files directly, and then load them into the database.

Procedure

1. Use the Organizational Administration Console to create an access group for the new role.

2. Use the Organizational Administration Console to create a resource group and assign commands that this role can execute.

3. Use the Organizational Administration Console to create an access control policy with the following parameters:

   1. New access group created in step 1 as the User Group.

   2. Specify "ExecuteCommandActionGroup" as the Action Group.

   3. New resource group created in step 2 as the Resource Group.

4. Manually, create an access control XML file for the policy and associate the new policy to a policy group as described in Associate policies with policy groups.

5. Manually, update the XML file created in step 4 to modify the resource-level access control of for the policy as described in Modifying the resource-level access control of an existing policy.

6. After completing the changes to the policy, l oad the policy into the database.

• View access control policies
  You must have Site Administrator authority to view policies.

• View parent access control policies
  At a given level in the membership hierarchy, the policies that are owned by ancestor organizations are often worth noting. Although any policy belonging to a policy group can be applied to an organization through policy group subscription, it is often the case that policies owned by ancestor organizations are more general in nature and may be worth viewing. You must have Site Administrator authority to view parent policies.

• Create an access control policy
  You must have Site Administrator authority to create new access control policy.

• Update access control policies
  Only the Site Administrator can update an access control policy. Note that the access control policy name is a unique field, and duplicate policy names cannot exist in the database. So when the user tries to modify a default access control policy using the Organization Administration Console, the system expects a new name for the new non-default policy that is going to be created. So if the user does not specify a new name, the new non-default policy is not created and the user gets a message to provide a new name for the policy.

• Delete policies
  You must have Site Administrator authority to delete access control policies.

• Select a user group
  You must have Site Administrator authority to select user groups. When creating or updating policies select user groups.

+

Search Tips   |   Advanced Search