Each time you create or modify an access control policy, you must perform certain tests
to verify that the policy is working correctly.
Procedure
-
For each policy that you have created or modified, ensure the following:
- A user that belongs to the policy's access group is able to take the specified actions on the
specified resources. If you have removed authorization to perform an action, you should also test to
make sure that the user can no longer perform the action.
- A user that does not belong to the policy's access group is unable to take the specified actions
on the specified resources.
-
Once you have finished testing all your new and changed policies that are currently in the
database, it is a good idea to extract that information into XML files. These files have the same
format as the initial access control policy related files:
defaultAccessControlPolices.xml
,
defaultAccessControlPolicies_locale.xml
, and
ACUserGroup_locale.xml
. This step is necessary because changes made using the
Organization Administration Console affect only the policy information stored in the database. The
XML files that were used to load the default access control policies and their components during
instance creation, are not updated automatically. For more information, see Extracting policy and access group definitions.
What to do next
After a new policy has been created, the new policy must be assigned into a policy group
before it comes into effect. You should assign the new policy to the group that serves the purpose
of the policy. For more information about the policy group names, see Default access control policy groups.