Administering Security Policies

Add, edit, delete, and manage state of security policies.

A security policy is an access control mechanism that can be applied to data objects on a fabric. Once a security policy is applied, it governs how a user can access data objects on the volume to which the security policy is applied.

A security policy can be associated with a volume.

TIP

A security policy is an access control mechanism for data stored on Data Fabric volumes, while a bucket policy is an access control mechanism applied to objects in an S3 object store associated with Data Fabric.

Security Policy Life Cycle

The state of a security policy is interpreted as a combination of two parameters:

allow tagging
access control

The following table explains the various values of the allow tagging and access control parameters.

Parameter	Accepted Values and Description	Default value
allow tagging	false Disables tagging; users cannot apply the security policy to data objects. This is the default setting when the fabric manager creates a security policy. The fabric manager can specify the setting explicitly when creating the security policy. When a security policy is active (allow tagging=true) but needs to be deprecated, modify the policy and set allow tagging=false. This prevents users from tagging any other data objects with the policy. Note that the system continues to enforce the security controls set in the security policy for data objects that were already tagged with the security policy. true Enables tagging; users can apply the security policy to data objects. When creating or modifying a security policy, a fabric manager can set allowtagging to true. When creating a security policy, as a fabric manager, you may want to set this parameter to true to test the security settings in the policy or to use tagging tools to discover data content and tag the data. To enable a deprecated security policy, set allow tagging to true.	false
access control	Disarmed Unless the fabric manager changes the setting when creating the security policy, this is the default setting if the fabric manager creates a security policy. The system does not enforce the access permissions set in the security policy during data operations on the data objects tagged with the security policy. Armed The system enforces the permissions set in the security policy during data operations on the data objects tagged with the security policy. When creating or modifying a security policy, as a fabric manager, you can set access control to Armed. To enforce access permissions set in a deprecated security policy, the fabric manager can set access control to Armed. The system continues to enforce access permissions set in the security policy for all data operations on the data objects tagged with the policy. Denied Denies all access to data objects tagged with the security policy.	Disarmed

Parameter

Accepted Values and Description

Default value

allow tagging

false

Disables tagging; users cannot apply the security policy to data objects.
This is the default setting when the fabric manager creates a security policy. The fabric manager can specify the setting explicitly when creating the security policy.
When a security policy is active (allow tagging=true) but needs to be deprecated, modify the policy and set allow tagging=false. This prevents users from tagging any other data objects with the policy. Note that the system continues to enforce the security controls set in the security policy for data objects that were already tagged with the security policy.

true

Enables tagging; users can apply the security policy to data objects.
When creating or modifying a security policy, a fabric manager can set allowtagging to true.
When creating a security policy, as a fabric manager, you may want to set this parameter to true to test the security settings in the policy or to use tagging tools to discover data content and tag the data.
To enable a deprecated security policy, set allow tagging to true.

false

access control

Disarmed

Unless the fabric manager changes the setting when creating the security policy, this is the default setting if the fabric manager creates a security policy.
The system does not enforce the access permissions set in the security policy during data operations on the data objects tagged with the security policy.

Armed

The system enforces the permissions set in the security policy during data operations on the data objects tagged with the security policy.
When creating or modifying a security policy, as a fabric manager, you can set access control to Armed.
To enforce access permissions set in a deprecated security policy, the fabric manager can set access control to Armed. The system continues to enforce access permissions set in the security policy for all data operations on the data objects tagged with the policy.

Denied

Denies all access to data objects tagged with the security policy.

Disarmed

You can change the state of a security policy through the allow tagging and access control parameters to move a security policy through a life cycle, as shown in the following image where the security policy moves from new to retired.

The following table describes each of the stages in the security policy life cycle:

Stage	Description
new (default)	Default upon security policy creation. Users cannot tag data objects with the security policy. The system does not enforce access permissions set in the security policy
in use	Users can tag data objects with the security policy. The system enforces all security controls set in the security policy during data operations on data objects tagged with the security policy. Security controls set in the policy can include access permissions, auditing, and wire-level encryption.
deprecated	Users can no longer tag the security policy to data objects. The system still enforces the security controls set in the security policy for all data operations on the data objects tagged with the policy. Users cannot tag any additional data objects with the policy.
retired	Users cannot tag the security policy to data objects. All data operations on the data objects tagged with the security policy are denied by the system.

HPE Ezmeral Data Fabric 7.9 Documentation
Abstract	This site or PDF file contains documentation for the as-a-service platform, HPE Ezmeral Data Fabric version 7.9, including installation, configuration, administration, and reference content.
Published	August 2025
Edition	7.9.0
Topic last updated	2024-08-23