Articles in this section

Policy screen

Avatar
Global Admin2
  • Updated
Follow

The policy screen lets you view and edit a policy's details.

Action bar

Action Result

View matched instances

Presents an overview of server instances, grouped by environment, that are being made accessible by the policy.

Note: The View matched instances functionality bases itself on the information that is currently present in the policy screen, regardless of whether it has been saved or not. As such, it can be useful to verify which instances will be made accessible while creating or editing the policy.

View matched users

Presents an overview of users that are being granted access by this policy. If the user is being granted access because they belong to one or more selected groups or organizational units, this information can also be displayed by clicking the caret in front of the user name.

Note: The View matched users functionality bases itself on the information that is currently present in the policy screen, regardless of whether it has been saved or not. As such, it can be useful to verify which users will be granted access while creating or editing the policy.

General section

The General section contains general information about the policy.

Label Description

Name

The policy's canonical name

Note: The policy's name cannot be changed after the policy has been created.

Display name

The policy's display name

This is the name that will be used throughout the application to refer to the policy.

Description

A description of the policy

This description will also be displayed in the left menu.

Accessible instances section

The Accessible instances section contains information about the instances that are being made accessible by this policy.

Accessible instances can be configured using two different modes:
  • Criteria mode lets you specify accessible instances by defining a set of criteria that the instances need to match.
    A single criterion is represented by the following of input fields and dropdown menus:

    Type

    Lets you select the type of the criterion. The following options are available:
    • Environment – The environment that the instance belongs to
    • Instance – The selected instance
    • Instance name/ID – The name or ID of the instance
    • Instance type – The type of the instance
    • Instance location – The location of the instance
    • Instance tag – The name of a tag associated with the instance
    Note: See the Instance screen topic for more information on each of the available options.

    Qualifier

    Only available for criteria of type Instance tag, this field lets you specify the name of the tag to be matched.

    Operator

    Lets you select the operator to be used when comparing the instance's value with the value specified in the criterion. The following options are available:
    • Is – The instance's value is the same as the value specified in the criterion.
    • Is not – The instance's value is different from the value specified in the criterion.
    • Matches – The instance's value matches the regular expression specified in the criterion.
    • Doesn't match – The instance's value does not match the regular expression specified in the criterion.

    Value

    Lets you specify the value of the criterion. Depending on the selected criterion type and operator, this field can be represented either by a dropdown menu, or by a field that expects a literal value or regular expression.
    The set of criteria is organized as a tree, letting you specify combined criteria using an AND operator, and mutually exclusive criteria using an OR operator. You can:
    • add criteria to the tree by clicking the + button;
    • remove criteria from the tree by clicking the - button;
    • switch between the AND and OR operators by clicking the operator bubble itself.
    Note: The + and - buttons to add and remove criteria are shown when hovering the mouse over an AND/ OR operator bubble, or over the bracket that is displayed in front of a criterion.
  • Selection mode lets you specify accessible instances by simply selecting those instances, or the environments that they belong to. Selecting an environment implies that all instances in the environment will be made accessible.
    In selection mode, the following user interface elements are present:

    Resource list

    The resource list on the left shows the instances and environments that have been selected. You can
    • add resources to the list by dragging them from the resource browser on the right;
    • remove resources from the list by dragging them to the bottom of the list.

    Resource browser

    The resource browser on the right shows an overview of the available environments. Clicking the caret in front of the environment's name will show an overview of the instances in the environment. You can select instances or environments by dragging them to the resource list on the left.
CAUTION:
You can switch freely between Criteria mode and Selection mode by clicking their respective headers, but switching from criteria to selection mode might result in a loss of information, as not all criteria that are available in criteria mode can be represented in selection mode.

Users with access section

The Users with access section contains information about the users that are being granted access by this policy.

The following user interface elements are present:

Entity list

The entity list on the left shows the users, groups, and organizational units that have been selected. You can
  • add entities to the list by dragging them from the entity browser on the right;
  • remove entities from the list by dragging them to the bottom of the list.
Furthermore, for groups and organizational units, the entity list shows an additional checkbox next to their name.
  • For groups, this is the Include member groups checkbox. When checking this checkbox, the policy will not only apply to users that are direct members of the selected group, but also to users that are members of any member groups that the group might have. This behavior is applied recursively.
  • For organizational units, this is the Include child units checkbox. When checking this checkbox, the policy will not only apply to users that belong directly to the selected organizational unit, but also to users that belong to any child units that the organizational unit might have. This behavior is applied recursively.

Entity browser

The entity browser on the right shows an overview of the available users, groups and organizational units. You can select users, groups and organizational units by dragging them to the entity list on the left.

Access conditions section

The Access conditions section contains information additional access conditions that are being imposed by the policy.

Label Description

Accessible accounts

The operating system-level accounts on the server instances that users are being granted access to by the policy

The following options are available:
  • All – Users have access to all existing accounts.
  • User name – Users have access only to the account that corresponds to their canonical user name, provided that the account exists.
  • Local user name – Users have access only the account that corresponds to the local part of their canonical user name, provided that the account exists. The local part of the user name is the part that preceeds the @ character. For example, a user with a canonical user name of j.t.kirk@starfleet.org would only have access to the j.t.kirk account.
    Note: In cases where the user name does not contain an @ character, the local user name is the same as the user name.
  • Listed – Users have access only those accounts that are specified in the provided input field, provided that these accounts exist.

Access time

The times at which users are being granted access by the policy

The permitted access times are specified by selecting one or more days of the week, and configuring the start and end time of the period during which users will be allowed access. Conversely, selecting all days of the week, and setting the start and end time to 00:00 and 24:00 respectively, will permit users to access the server instances at any time.
Note: Access times are defined according to the time zone that is specified in the General settings screen

Button bar

Button Result

Cancel

Discards any changes made to the policy, and reverts it to its original state.

New

Discards any changes made to the policy, and opens a new policy screen.

Delete

Deletes the policy.

Save

Saves all changes made to the policy.
Related concepts
Related tasks

Comments

0 comments

Please sign in to leave a comment.