Ping Identity Data Governance Server

Data Governance Server Documentation Index
Configuration Reference Home

Policy

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

A Data Governance Server authorization policy specification. A Policy is not activated until it is added to a Policy Set.

↓Relations from This Component
↓Relations to This Component
↓Properties
↓dsconfig Usage

Relations from This Component

The following components have a direct composition relation from Policies:

Policy Variable Definition

Policy Rule

Relations to This Component

The following components have a direct aggregation relation to Policies:

Policy Set

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ combining-algorithm
	↓ target-request

Basic Properties

description

Description	A description for this Policy
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

Advanced Properties

combining-algorithm (Advanced Property)

Description	The rule combining algorithm for the rules contained within this Policy.
Default Value	deny-overrides
Allowed Values	deny-overrides - This combining algorithm is intended for those cases where a deny decision should have priority over a permit decision. If any constituent rule returns a deny decision, then the overall result will be to deny. ordered-deny-overrides - This combining algorithem is identitical to deny-overrides, with the exception that rules are evaluated in the order specified by the policy. permit-overrides - This combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. If any constituent rule returns a permit decision, then the overall result will be to permit. ordered-permit-overrides - This combining algorithem is identitical to permit-overrides, with the exception that rules are evaluated in the order specified by the policy. deny-unless-permit - This combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an "Indeterminate" or "NotApplicable" must never be the result. permit-unless-deny - This combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an "Indeterminate" or "NotApplicable" must never be the result. first-applicable - When this combining algorithm is selected each rule in the policy is evaluated in order. Evaluation stops the first time a rule returns a value of either "Permit" or "Deny", and the result of that rule becomes the result of the policy.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

target-request (Advanced Property)

Description	An optional boolean JEXL expression that will serve as a filter on the incoming authorization request to determine whether this policy should be applied when authorizing the request. A target filter specified here is applied in addition to the target defined by the containing policy set. For example, the JEXL expression 'action.action_id == "retrieve"' indicates that this policy should be executed only for requests to retrieve SCIM resources.
Default Value	If no target is specified then the policy will inherit the target of its containing policy set.
Allowed Values	application/jexl
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Policies:

dsconfig list-policies
     [--property {propertyName}] ...

To view the configuration for an existing Policy:

dsconfig get-policy-prop
     --policy-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Policy:

dsconfig set-policy-prop
     --policy-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Policy:

dsconfig create-policy
     --policy-name {name}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Policy:

dsconfig delete-policy
     --policy-name {name}