HP 3PAR Policy Server Administrator's Guide (QR483-96003, December 2012)

HP 3PAR Policy Server 4-4
Inheritance and Permissions
Any permission set in the Global group is inherited by its child asset groups. Within a child group’s policy
you can override a permission set in the parent group as long as that permission is not locked in the parent
group’s policy. For example, assume an Execute action permission defined in the Global policy specifies
that an asset can execute any application without asking for approval. If the child group contains sensitive
assets, you can override this permission within the child group’s policy to specify that an asset needs to ask
for approval before running any application. This overridden permission is then inherited by that group’s
child groups.
Note: Notification settings for asset groups can also be set for each asset group, or, if not set for a child
group, inherited from the parent asset group. For example, suppose you configure notification settings
for the Global group; any child groups of that Global group will use the same notification settings. As
with permissions, you can override notification settings for a child asset group; you can even configure
unique notification settings for each asset group managed by the Policy Server. Unlike permissions,
notification settings cannot be locked.
Applying Filters
Applying filters to permissions provides more control over actions. Filters allow you to:
Maintain a static list of permissions, each with a default access right.
Restrict an action to certain users at certain times (by using expressions and Time Windows in
filters).
Restrict an action to a particular HP 3PAR Enterprise Server (expression).
Create a time window (for example, called "Maintenance Window") to allow or ask for approval
when users access the asset during the Maintenance Window, and deny at any other time.
Set up a complex set of allow, ask, deny rules by assigning filters in the order in which you want
them applied.
In general, a filter is a set of restrictions for a permission. You can create a filter and assign it to one or more
permissions in the same policy or in different policies. You must have the Add/Edit privilege to the Policy
component of the application to create, edit, delete, or assign filters to permissions.
Each permission has a default filter that cannot be removed. Displayed in the Access Right column of the
Policy table, the default filter is an access right that can be set to Always Allow, Ask for Permission, or
Never Allow. A default filter has no name, expression, or time window. If the permission has multiple
filters, the default filter is always the last one in the list. When an Agent gateway or Policy Agent evaluates
the filters for a permission, if no user-defined filter in the list is a match, then the Agent evaluates the default
filter, which always matches.