Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
A Policy Set aggregates a set of Policies or child Policy Sets to be targeted for a particular type of authorization request.
A Policy Set may contain a combination of Policies and Policy Sets. However, if the combining algorithm of this Policy Set requires a specific evaluation order of the member policy objects, then you must limit the members to be either Policies or Policy Sets, but not both. This is because there is no defined ordering across child Policies and child Policy Sets. One way to work around this restriction, if needed, is to put any child Policies into Policy Sets.
↓Relations from This Component
↓Relations to This Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from Policy Sets:
The following components have a direct aggregation relation to Policy Sets:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ combining-algorithm |
| ↓ target-request | |
| ↓ policy | |
| ↓ policy-set | |
| ↓ enabled |
| Description | A description for this Policy Set |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A boolean JEXL expression that will serve as a filter on the incoming authorization request to determine whether the Policies referenced by this Policy Set should be applied when authorizing the request. For example, the JEXL expression 'action.action_id == "retrieve"' indicates that these policies should be applied to requests to retrieve SCIM resources. |
| Default Value | If no target request is specified, the Policies in this Policy Set will be applied to all authorization requests. This is not recommended for production environments. |
| Allowed Values | application/jexl |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the set of Policies that are evaluated for this Policy Set. |
| Default Value | If no Policies or Policy Sets are specified, the result of evaluating the Policy Set is determined solely by the Policy Set's combining algorithm. |
| Allowed Values | The DN of any Policy. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the set of Policy Sets that are evaluated for this Policy Set. |
| Default Value | If no Policies or Policy Sets are specified, the result of evaluating the Policy Set is determined solely by the Policy Set's combining algorithm. |
| Allowed Values | The DN of any Policy Set. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Policy Set is enabled. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
combining-algorithm (Advanced Property)
| Description | The policy combining algorithm for the Policies listed in this Policy Set. |
| Default Value | deny-overrides |
| Allowed Values | deny-overrides - This combining algorithm is intended for those cases where a deny decision should have priority over a permit decision. If any constituent policy returns a deny decision, then the overall result will be to deny. ordered-deny-overrides - This combining algorithem is identitical to deny-overrides, with the exception that policies are evaluated in the order specified by the policy set. permit-overrides - This combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. If any constituent policy returns a permit decision, then the overall result will be to permit. ordered-permit-overrides - This combining algorithem is identitical to permit-overrides, with the exception that policies are evaluated in the order specified by the policy set. deny-unless-permit - This combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an "Indeterminate" or "NotApplicable" must never be the result. permit-unless-deny - This combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an "Indeterminate" or "NotApplicable" must never be the result. first-applicable - Selecting this combining algorithm causes each policy in the policy set to be evaluated in order. Evaluation stops the first time a policy returns a value of either "Permit" or "Deny", and the result of that policy becomes the result of the policy set. only-one-applicable - This combining algorithm requires that only one policy in the policy set be applicable, i.e. return either "Permit" or "Deny", and that the remaining policies return "NotApplicable". The result of the policy set is the result of the one applicable policy. If more than one policy is applicable the result of the policy set will be "Indeterminate". |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Policy Sets:
dsconfig list-policy-sets
[--property {propertyName}] ...
To view the configuration for an existing Policy Set:
dsconfig get-policy-set-prop
--set-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Policy Set:
dsconfig set-policy-set-prop
--set-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Policy Set:
dsconfig create-policy-set
--set-name {name}
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Policy Set:
dsconfig delete-policy-set
--set-name {name}