CONFIGURING


Organizational and explicit policies

There are two types of policies: organizational and explicit. Understanding the differences between the types helps you plan the implementation.

Organizational policies

An organizational policy automatically applies to all users registered in a particular organizational unit. For example, to distribute default settings to all users registered in Sales/Renovations, create an organizational policy named */Sales/Renovations. Then when you use the Sales/Renovations certifier ID to register a user, that user automatically receives the settings in the corresponding organizational policy.

If you move a user within the hierarchical structure -- for example, because the user transfers from the Sales department to the Marketing department -- the organizational policy for the corresponding certifier ID is automatically assigned to the user. For example, if you move the user from Sales/Renovations to Marketing/Renovations, all settings defined in the desktop, archiving, and security policy settings documents associated with the */Marketing/Renovations organizational policy are assigned to the user. The new policy settings become effective the first time users authenticate with their home server.

Explicit policies

An explicit policy assigns default settings to individual users or groups. For example, to set a six-month certification period for contract workers in all departments, create an explicit policy and then assign it to each contract employee or to the group that includes all contract employees.

Note: A dynamic policy is an explicit policy that is created by using the Policy Assignment tab on the Policy document to assign the policy to users and groups. If the policy is a dynamic policy, then as the organization changes, you need to update only the Group document. If a user changes jobs or organizations, you do not need to determine which policies need updating. The updated group information is applied the next time the effective policy is calculated for any users in that group.

Assign explicit policies in one of these ways:


Exception overrides in organizational or explicit policy

You can assign an exception attribute to an organizational or explicit policy to let the user override a policy setting that is otherwise enforced throughout an organization. When you create an exception policy, you specify only the settings that will not be enforced. When you assign the exception policy, it exempts users from enforcement of those settings only.

Exception policies are a way to give someone in an organization special treatment, possibly because of their position or job requirements. For example, the */Renovations policy includes a Registration policy setting that enforces a mail database quota of 60 MB. However, a group of employees in Renovations may need to exceed this quota. The solution is to create an "exception" policy that includes only a Registration policy settings document, that does not set a quota limitation on the mail database. When this exception policy is assigned to users, they can override the database quota setting.

Related concepts
Creating policies
Assigning dynamic policies
Policies
Understanding policy hierarchy and effective policy