USER AND SERVER CONFIGURATION

Policy hierarchy and the effective policy
The effective policy for a user is a set of derived policy settings that are dynamically calculated at the time of execution. The field values in an effective policy may originate from many different policy settings documents. Each hierarchical level can have an associated policy, so users may have a combination of policy settings that include the values set at their OU level, and those inherited from a parent policy. The resolution of those settings, stepping up through the organizational hierarchy, determines the effective policy for each user.

In addition to organizational policies, users may also have explicit policies assigned to them. In that case, the order of resolution is that all organization policy settings are resolved first, then any explicit policy settings are resolved.

For example, if you want all users to use the same Internet mail name format, set that value in the Registration policy settings document for the top-level policy. Once you have set this value, you do not have to change it or reenter it in subsequent child policies. You simply "inherit" this value from the parent by selecting the inherit option. However, if you have a select group of international users for whom this setting is a problem, you can create an explicit policy that applies to the select group only. The combination of the explicit and organizational policies together provide the control and the flexibility you need.

There are two tools that help you determine the effective policy governing each user. The Policy Viewer shows the policy hierarchy and associated settings documents, and a Policy Synopsis report shows the policy from which each of the effective settings was derived.

Inheritance and the child policy relationship

Inheritance plays an important role in determining a user's policy settings in both organizational and explicit policies. Through the parent-child relationship, you create a hierarchy of policies to set your administrative practices across the enterprise. In a policy hierarchy, policy documents build the relationship, and policy settings documents determine the value of the fields based on their position in the hierarchy. Using field inheritance and enforcement, you control the default settings.

In organizational policies, the hierarchy of policies is determined automatically based on the Organization's hierarchy. The policy */Sales/Acme is the child policy of */Acme. Since explicit policies do not follow the organizational structure, when you create explicit policies, you build in the hierarchy, based on the naming structure. For example, if you create an explicit policy named /Contractors that includes several settings that apply only to contract employees who may be employed for six month to a year. However you want short-term temporary employees, employed for only one or two weeks, to inherit only some of those settings. You create a child explicit policy called Short term/Contractors.

The following figure shows a policy hierarchy. In this hierarchy, the policy at each organizational level has set its own password quality setting.

Setting value set for each policy.

In the following figure, Joe User inherits a password quality setting from a parent policy. Inheriting a setting occurs in the child policy at the field level in a policy settings document.

Setting value is inherited.

Another way that a user "inherits" field-level settings is through enforcement. In the illustration below, the password quality setting is enforced in the parent policy at the field level in the Registration policy settings document. If settings are enforced in a parent policy, the settings at the child policy level do not apply.

Setting value is enforced.

Example of using policies

The administrator at the Acme company wants to use policies to:


To accomplish these goals, the administrator creates these policies:
See also