Policy-Based Security Quick Reference
This quick reference provides tips and maprcli
commands for the most
common tasks related to Policy-Based Security.
Task | Commands |
---|---|
Enable PBS (Required for upgrades from pre-6.2.0 versions of data-fabric) |
If upgrading from a data-fabric
version that does not support extended attributes, enable extended attributes before
you enable PBS:
Enable
PBS:
Related
documentation: |
Designate a master security
policy cluster
(Required to create and modify security policies) |
You must designate a master
security policy cluster to set the security policy global namespace. This is the
cluster on which you create and modify security policies. You can also designate
member clusters. Master and member security policies form a security policy domain.
The system enforces security policies across the security policy domain.
To
identify which cluster is master,
run:
|
Grant an admin cp
permission (Required to create security policies) |
Admins with cluster-level
a (admin) permission can assign cp (create security
policy) permission to themselves or other
admins.
Related
documentation: |
Grant admins access to a security policy | Admins with cluster-level
cp permission can set permissions on a security policy during
policy creation. Alternatively, the admin can modify the policy after creation or set
security policy-level permissions through policy-level ACLs. Regardless of how or when
the admin sets permissions on a security policy, the -user or
-group parameter sets the permissions a user or group has on a
security policy. Note that the commands shown do not include all possible parameters
for creating and modifying a security
policy.
Related
documentation: |
Create|View|Modify|Remove security policies | Basic commands are listed. For a
list of parameters related to each command, refer to the documentation. NOTE Users
cannot apply a security policy to data objects unless the
allowtagging parameter is set to true . The
system does not enforce ACEs configured in a security policy unless the
accesscontrol parameter is set to Armed . You can
set these parameters when you create or modify a security policy.Create
security
policy
View
list of security
policies
Modify
security
policies
Remove
security policies
|
Change the state of a security policy | The state of the security policy
controls enforcement at the security policy level. The security policy state tells the
system if a security policy can be applied to data objects and whether the system
should enforce the ACEs set in the security policy. Edit the values of the
-allowtagging and -accesscontrol parameters to
change the state of a security
policy:
Related
Documentation: |
Display security policy information and permissions | Display information about a
security
policy:
Display cluster-level permissions:
Display policy-level permissions:
Related
documentation: |
Apply security policies to data objects | Apply security policies to
Data Fabric File System data objects
Apply security policies to Data Fabric Database data objects
|
View security policies applied to data objects |
Data Fabric File System Data
Objects
Data Fabric Database
Objects
|
Enforce security policies | Security policy-level
enforcement
Volume-level
enforcement
Cluster-level enforcement Applies to all data operations in the cluster where the
cluster is either a member or master security policy cluster.
|