Security Policy Permissions

Permission Levels

Policy-based security supports cluster-level and policy-level permissions.

Permission Codes

Cluster-level and security policy-level permission codes that are set through ACLs grant security policy access to administrators. An administrator (with cluster-level a (admin) and cp (create security policy) permissions) that creates a security policy has full control over the security policy unless they specifically grant other administrators access to the security policy through policy-level permissions.

The following sections describe the cluster-level and policy-level permission codes for security policy access:

Cluster-Level Permission Codes

The following table lists some cluster-level permission codes and how they relate to security policies.

Cluster-level permission code	Description
a (admin)	Grants administrative access to cluster ACLs. Can grant create security policy (cp) permission to themselves or other administrators. Cannot view or edit the details of any security policy created by other admins. Can only view the security policy ID and name. Needs security policy-level permissions to view or edit security policies created by other admins.
cp (create security policy)	ATTENTION Administrators need this permission to create security policies. Administrators with a (admin) cluster-level permission can grant cp permission to themselves or other administrators. Administrators can view and edit all parts of the security policies they create, including the ACEs and permissions on the security policies. Grants the administrator that creates a security policy the following security policy-level permissions on the security policy: Full Control (fc) Admin (a) Read (r) Administrators who create security policies can override their access to the security policies by designating policy owners who can then manage the security policies.
fc (full control)	Grants full control over the cluster and enables all cluster-level administrative options. Cannot change the cluster-level ACLs. Can view all security policies. Cannot create security policies. Cannot edit the details of any security policy unless specifically granted access to a security through policy-level permissions.

Policy-Level Permission Codes

Separate read (r) and edit (fc) permissions for policy owners allow some policy owners to view policy information while others can edit policy information. This allows most administrators to administer the system without seeing the data and also prevents some policy owners from adding their credentials to the administrative ACLs to manipulate the data access ACEs.

Policy-level permissions are set on a per-policy basis. Permissions set on one security policy do not apply to other security policies.

The following table lists the policy-level permission codes needed to perform actions on security policies.

Policy-level permission code	Description
a (admin)	Can view and modify permissions on the security policy. Cannot view or modify the security policy; can only view the security policy name and ID.
fc (full control)	Can view and edit any part of the security policy, including the data access ACEs. Cannot view or modify permissions on the security policy.
r (read)	Can view all parts of a security policy, but cannot modify any part of the security policy.

Permissions Table

The following table lists the cluster-level and policy-level permissions needed to perform specific actions on security policies:

NOTE

Administrators who create a security policy have policy-level r, a, and fc permission on the security policy.

Action	Cluster-Level	Policy-Level
Create a security policy	cp	--
View details of all security policies	fc	--
View details of a security policy	--	r
View and edit permissions on a security policy (ACLs)	--	a
View and edit the details of a security policy (ACEs, auditing, wire-level encryption)	--	fc