Policies are governed by three levels of security that determine the type of changes, if any, a user can make to a policy. Policy Designer Security Groups are the broadest category of security; a user must be in one of these groups to access or modify any policies. The second level of security is individual policy security, whereby only specific users within the Policy Designer Security Groups are given permissions to specific policies. Finally, of the users who have permission to modify a specific policy, only the user who has taken ownership of the policy can make changes.
Policy Designer Security Groups
The following table shows the Policy Designer activities that are accessible to members of the baseline Policy Designer Security Groups.
| Activity | MI Policy Designer | MI Policy User | MI Policy Viewer |
|---|---|---|---|
| Create a new policy |
|
None | None |
| Make changes to an existing policy, including the policy model, execution settings, and security settings. |
|
None | None |
| Save a copy of a policy |
|
None | None |
|
|
None | None | |
| Revert a policy to baseline |
|
None | None |
| Take ownership of a policy |
|
None | None |
| Add or edit policy instances |
|
|
None |
| Validate a policy |
|
|
|
| View execution history |
|
|
|
Note: Super Users receive the same privileges as members of the MI Policy Designer group.
Individual Policy Security
If no specific security settings are configured for an individual policy, users can access or modify the policy based on the access level granted by their Policy Designer Security Group, as described in the previous section. However, if you are creating a policy to which only certain users should have certain levels of access, you can optionally configure more restrictive security settings for that individual policy.
Once you grant specific policy permissions to at least one user or Security Group, no other user has access to the policy regardless of their membership in the MI Policy Designer, MI Policy User, or MI Policy Viewer Security Group.
Note: Super Users continue to have Designer access to all policies unless the Super User is specifically given a lower level of permission in the individual policy security settings. In that case, the specified policy permission applies even to the Super User.
When you configure security for an individual policy, you can select specific users and/or Security Groups to grant Designer, User, or Viewer permissions for the individual policy. The following table shows the Policy Designer activities that are accessible for each type of permission.
| Activity | Designer | User | Viewer |
|---|---|---|---|
| Create a new policy |
|
None | None |
| Make changes to an existing policy, including the policy model, execution settings, and security settings. |
|
None | None |
| Save a copy of a policy |
|
None | None |
|
|
None | None | |
| Revert a policy to baseline |
|
None | None |
| Take ownership of a policy |
|
None | None |
| Add or edit policy instances |
|
|
None |
| Validate a policy |
|
|
|
| View execution history |
|
|
|
When you configure individual policy security, the most restrictive security level applies to the user, based on their membership in the MI Policy Designer, MI Policy User, or MI Policy Viewer Security Group and security specified for the individual policy. This concept is best explained through examples:
Policy Ownership
Each policy is owned by a user who is responsible for the policy and is granted exclusive privileges to modify the policy model and execution settings. The user who creates a policy is automatically assigned as the owner. If a different user wants to modify the policy, he or she must first take ownership of the policy.
In order to be a policy owner, a user must be a Super User or a member of the MI Policy Designer Security Group. If any individual policy security is applied to the policy, the user must also have Designer permission.
Copyright © 2018 General Electric Company. All rights reserved.