USER AND SERVER CONFIGURATION


Policy hierarchy and the effective policy
The effective policy for a user is a set of derived policy settings that are dynamically calculated at the time the policy is executed. The field values in an effective policy can originate from many different policy settings documents associated with the policy documents that apply to the user. Users may have a combination of policy settings that include values set at their OU level, values set with an explicit policy -- including values assigned to groups the user is a member of -- and settings inherited from a parent policy. The resolution of those settings determines the effective policy for each user.

If multiple policies are assigned to a single user, either dynamically due to multiple group memberships or assigned directly on the policy document, every effective policy at the group level is determined first. The result can be multiple effective dynamic policies assigned to a single user. In order to create one effective dynamic policy for each user, the dynamic policies are merged to create one dynamic policy.

When the dynamic effective policies are merged, each setting in the effective dynamic policy is checked to determine if there is a conflict with a setting from another policy. If there is no conflict, the setting is added to the final effective dynamic policy. If there is a conflict, the value of the setting from the dynamic policy with the highest precedence is used. The policy precedence is used to determine which policy settings take precedence when a conflict occurs between dynamic policies.

You can manually specify a dynamic policy's precedence in the Domino Directory or you can use the default precedence value that is set when you create a dynamic policy. By default, when a new dynamic policy is created the policy is assigned to the end of the existing precedence order. The lower the precedence number, the higher the precedence, and the higher the precedence number, the lower the precedence. For example, a precedence of one (1) indicates the highest precedence, and a precedence of two (2) or any other number greater than one (1) indicates a lower precedence. When the process is complete, the result is the final effective dynamic policy. The effective dynamic policy is the used to help determine the effective policy.

The effective policy is determined as follows:

1. Organizational policies are determined and applied first.

2. Explicit policies with dynamic policy assignments are resolved and applied next.

3. Explicit policies without dynamic policy assignments are resolved and applied last.

If you follow the sequence above, you will determine that the explicit policy in a user's Person document overrides a dynamic policy which in turn overrides the organizational policy.

When determining the setting that is applied to a user, Domino uses the setting from the most explicit policy that is assigned to that user unless the "Enforce" setting is checked. If "Enforce in child settings" is checked, the setting must be derived from a specific policy and is not overridden by a setting from a more explicit policy. A more explicit policy would be a policy assigned to you in your Person document, as opposed to a policy assigned through membership in a group. A policy that is assigned via group membership is more explicit than a hierarchical explicit policy assigned to a user.

There are two tools that help you determine the effective policy governing each user. The Policy Viewer shows the policy hierarchy and associated settings documents, and the Policy Synopsis report shows the policy from which each of the effective settings was derived. The dynamic policies that were involved in the calculation of the effective policy are shown in order of precedence and the value of each setting derived by a dynamic policy decision is displayed in tabular format.

Inheritance and the child policy relationship

Inheritance plays an important role in determining a user's policy settings in both organizational and explicit policies. Through the parent-child relationship, you create a hierarchy of policies to set your administrative practices across the enterprise. In a policy hierarchy, policy documents build the relationship, and policy settings documents determine the value of the fields based on their position in the hierarchy. Using field inheritance and enforcement, you control the default settings.

In organizational policies, the hierarchy of policies is determined automatically based on the Organization's hierarchy. The policy */Sales/Acme is the child policy of */Acme. Since explicit policies do not follow the organizational structure, when you create explicit policies, you build in the hierarchy, based on the naming structure. For example, if you create an explicit policy named /Contractors that includes several settings that apply only to contract employees who may be employed for six month to a year. However you want short-term temporary employees, employed for only one or two weeks, to inherit only some of those settings. You create a child explicit policy called Short term/Contractors.

The following figure shows a policy hierarchy. In this hierarchy, the policy at each organizational level has set its own password quality setting.

Setting value set for each policy.

In the following figure, Joe User inherits a password quality setting from a parent policy. Inheriting a setting occurs in the child policy at the field level in a policy settings document.

Setting value is inherited.

Another way that a user "inherits" field-level settings is through enforcement. In the illustration below, the password quality setting is enforced in the parent policy at the field level in the Registration policy settings document. If settings are enforced in a parent policy, the settings at the child policy level do not apply.

Setting value is enforced.

Example of using policies

The administrator at the Acme company wants to use policies to:


To accomplish these goals, the administrator creates these policies:
Related topics