USER AND SERVER CONFIGURATION

Organizational and explicit policies
There are two types of policies: organizational and explicit. Understanding the differences between the types helps you plan the implementation.

Organizational policies

An organizational policy automatically applies to all users registered in a particular organizational unit. For example, to distribute default settings to all users registered in Sales/Acme, create an organizational policy named */Sales/Acme. Then when you use the Sales/Acme certifier ID to register a user, that user automatically receives the settings in the corresponding organizational policy.

If you move a user within the hierarchical structure -- for example, because the user transfers from the Sales department to the Marketing department -- the organizational policy for the corresponding certifier ID is automatically assigned to the user. For example, if you move the user from Sales/Acme to Marketing/Acme, all settings defined in the desktop, archiving, and security policy settings documents associated with the */Marketing/Acme organizational policy are assigned to the user. The new policy settings become effective the first time users authenticate with their home server.

Explicit policies

An explicit policy assigns default settings to individual users or groups. For example, to set a six-month certification period for contract workers in all departments, create an explicit policy and then assign it to each contract employee or to the group that includes all contract employees.

There are three ways to assign an explicit policy: during user registration, by editing the user's Person document, or by using the Assign Policy tool.

For information on assigning an explicit policy, see the topic Assigning an explicit policy.

Using Exceptions

You can assign an exception attribute to either an organizational or explicit policy. You use an exception to allow the user to override a policy setting that is otherwise enforced throughout an organization. When you create an exception policy, you specify only the settings that will not be enforced. Then when you assign the exception policy, it exempts users from enforcement of those settings only.

Exception policies are a way to give someone in an organization special treatment, possibly because of their position or job requirements. For example, the */Acme policy includes a Registration policy setting that enforces a mail database quota of 60 MB. However, a small group of employees in Acme need to exceed this quota. The solution is to create an "exception" policy that includes only a Registration policy settings document, that does not set a quota limitation on the mail database. When this exception policy is assigned to users, they can override the database quota setting. Because exception policies defeat the enforcement of policy settings, use them sparingly.

See also