Policy sets, policies, and rules
The Policy Manager reflects the structure of grouping rules for attribute-based access control (ABAC) with three types of entities and the relationship between them. The entities are policy sets, policies, and rules.
A typical enterprise-level organization might impose hundreds or thousands of conditions and constraints around access control. Such constraints comprise the business rules that define the circumstances under which users access certain protected resource.
You can group these rules together naturally, so that you can understand them without focusing on all of them at the same time. For example, a set of policies around authentication might require a user to authenticate to a certain level before they can access a certain resource. Another set of policies might gather together all of the business rules around accessing the resources of a particular business unit. Yet another set of policies might define the audit processes triggered with each attempt to access a set of restricted resources.
This structure is inherent in the problem domain of resource-access control. The Policy Manager allows you to organize these business rules into a tree structure, with a root policy set that contains policy sets for each business case. The policy sets contain related policies, and each policy contains one or more rules that help define its behavior.
A root policy set is not required, but it is useful for building a deployment package from the entire policy tree. Individual policies often belong to policy sets but can also stand on their own. |