Add, edit, delete, and manage state of security policies.
A security policy is an access control mechanism that can be applied to data objects
on a fabric. Once a security policy is applied, it governs how a user can access
data objects on the volume to which the security policy is applied.
A security policy can be associated with a volume.
TIP
A security policy is an access control mechanism for data stored on
Data Fabric volumes, while a bucket policy is an access control mechanism
applied to objects in an S3 object store associated with Data Fabric.
Security Policy Life Cycle
The state of a security policy is interpreted as a combination of two parameters:
- allow tagging
- access control
The following table explains the various values of the allow tagging and access
control parameters.
Parameter |
Accepted Values and Description |
Default value |
allow tagging |
false
- Disables tagging; users cannot apply the security policy
to data objects.
- This is the default setting when the fabric manager
creates a security policy. The fabric manager can
specify the setting explicitly when creating the
security policy.
- When a security policy is active (allow tagging=true)
but needs to be deprecated, modify the policy and set
allow tagging=false. This prevents users from tagging
any other data objects with the policy. Note that the
system continues to enforce the security controls set in
the security policy for data objects that were already
tagged with the security policy.
true
- Enables tagging; users can apply the security policy
to data objects.
- When creating or modifying a security policy, a
fabric manager can set allowtagging to true.
- When creating a security policy, as a fabric
manager, you may want to set this parameter to true
to test the security settings in the policy or to
use tagging tools to discover data content and tag
the data.
- To enable a deprecated security policy, set allow
tagging to true.
|
false |
access control |
Disarmed
- Unless the fabric manager changes the setting when
creating the security policy, this is the default
setting if the fabric manager creates a security
policy.
- The system does not enforce the access permissions set
in the security policy during data operations on the
data objects tagged with the security policy.
Armed
-
The system enforces the permissions set in the
security policy during data operations on the data
objects tagged with the security policy.
-
When creating or modifying a security policy, as a
fabric manager, you can set access control to
Armed.
- To enforce access permissions set in a deprecated
security policy, the fabric manager can set access
control to Armed. The system continues to enforce
access permissions set in the security policy for all
data operations on the data objects tagged with the
policy.
Denied
- Denies all access to data objects tagged with the
security policy.
|
Disarmed |
You can change the state of a security policy through the allow
tagging
and access control
parameters to move a
security policy through a life cycle, as shown in the following image where the
security policy moves from new to retired.
The following table describes each of the stages in the security policy life
cycle:
Stage |
Description |
new (default) |
- Default upon security policy creation.
- Users cannot tag data objects with the security
policy.
- The system does not enforce access permissions set in
the security policy
|
in use |
- Users can tag data objects with the security
policy.
- The system enforces all security controls set in the
security policy during data operations on data objects
tagged with the security policy.
- Security controls set in the policy can include access
permissions, auditing, and wire-level encryption.
|
deprecated |
- Users can no longer tag the security policy to data
objects.
- The system still enforces the security controls set in
the security policy for all data operations on the data
objects tagged with the policy. Users cannot tag any
additional data objects with the policy.
|
retired |
- Users cannot tag the security policy to data
objects.
- All data operations on the data objects tagged with the
security policy are denied by the system.
|