How to use ACL data in policies
This topic describes how to use ACL data in your policies.
The user must specify the following query to view all ACL data as shown in the following
screenshot:
Note: ACL grouping is not supported and in order to perform such groupings, an external DB client
like the DB2 warehouse client should be used against the Spectrum Discover database.
Important: When using acog or aces data to make tagging policies, it is important to
understand that a single selection of acog or aces data may result in tags not being
meaningful.
For example, the following tag is defined to show that a row has a permission type of either
read-write, read-execute, or read only:
The following policies are intended to set the permission tag based on the permissions
flag:
After running the Read Only policy, the Permission tag is populated, but as seen from the
following row for the same file, the tag does not match the real permissions (only the permissions
with rt should be "read only"):
After running the Read Execute policy, the Permission tag is populated but the permission tag is
changed from Read-Only to Read-Execute which makes it meaningless and effectively useless:
To solve this problem, you can create tags and set the value as "True" if the condition
exists.
Note: You cannot add a "false" value because if you were to run a policy that found a
condition that doesn't exist, you would run into the same meaningless results.
When tags have a "True" value, you can now set the policies to have a "True" value. By doing
this, you can determine what permissions are allowed for each file.
Note: You can customize your own
tags and use aces/acog information that is meaningful to you.