Understanding policy hierarchy and effective policy

The effective policy for a user is a set of derived policy settings that are dynamically calculated at the time the policy is executed. The field values in an effective policy can originate from many different policy settings documents associated with the policy documents that apply to the user. Users may have a combination of policy settings that include values set at their OU level, values set with an explicit policy -- including values assigned to groups the user is a member of -- and settings inherited from a parent policy. The resolution of those settings determines the effective policy for each user.

If multiple policies are assigned to a single user, either dynamically due to multiple group memberships or assigned directly on the policy document, every effective policy at the group level is determined first. The result can be multiple effective dynamic policies assigned to a single user. In order to create one effective dynamic policy for each user, the dynamic policies are merged to create one dynamic policy.

When the dynamic effective policies are merged, each setting in the effective dynamic policy is checked to determine if there is a conflict with a setting from another policy. If there is no conflict, the setting is added to the final effective dynamic policy. If there is a conflict, the value of the setting from the dynamic policy with the highest precedence is used. The policy precedence is used to determine which policy settings take precedence when a conflict occurs between dynamic policies.

You can manually specify a dynamic policy's precedence in the Domino® Directory (names.nsf) or use the default precedence value that is set when you create a dynamic policy. By default, when a new dynamic policy is created, the policy is assigned a precedence value higher than that of other existing policies. Policy precedence is ranked numerically from smallest to largest in order of decreasing precedence. That is, the policy with a precedence value of one (1) has the greatest precedence, and policies with numeric values of two (2) or greater have less precedence. When the process is complete, the result is the final effective dynamic policy. The effective dynamic policy is the used to help determine the effective policy.

The effective policy is determined as follows:

  1. Organizational policies are determined and applied first.
  2. Explicit policies with dynamic policy assignments are resolved and applied next.
  3. Explicit policies without dynamic policy assignments are resolved and applied last.

Using the previous sequence, the explicit policy in a user's Person document overrides a dynamic policy which in turn overrides the organizational policy.

When determining the setting that is applied to a user, Domino® uses the setting from the most explicit policy that is assigned to that user unless the Enforce setting is checked. If Enforce in child settings is enabled, the setting must be derived from a specific policy and is not overridden by a setting from a more explicit policy. A more explicit policy would be a policy assigned in a user's Person document, rather than a policy assigned through group membership. A policy that is assigned to a group is more explicit than a hierarchical explicit policy assigned to a user.

Determining policy hierarchy and effective policy

Two tools help determine the effective policy governing each user. The Policy Viewer shows the policy hierarchy and associated settings documents, and the Policy Synopsis report shows the policy from which each of the effective settings was derived. The dynamic policies that were involved in the calculation of the effective policy are shown in order of precedence and the value of each setting derived by a dynamic policy decision is displayed in tabular format.

Policy inheritance

Inheritance plays an important role in determining a user's policy settings in both organizational and explicit policies. Through a parent-child relationship, you create a hierarchy of policies to set your administrative practices across the enterprise.

In a policy hierarchy, policy documents build the relationship, and policy settings documents determine the value of the fields based on their position in the hierarchy. Using field inheritance and enforcement, you control the default settings.

In organizational policies, the hierarchy of policies is determined automatically based on the Organization's hierarchy. The policy */Sales/Renovations is the child policy of */Renovations. Since explicit policies do not follow the organizational structure, when you create explicit policies, you build in the hierarchy, based on the naming structure. For example, if you create an explicit policy named /Contractors that includes several settings that apply only to contract employees who may be employed for six month to a year. However you want short-term temporary employees, employed for only one or two weeks, to inherit only some of those settings. You create a child explicit policy called Short term/Contractors.

Another way that a user inherits field-level settings is through enforcement. For example, the password quality setting is enforced in the parent policy at the field level in the Registration policy settings document.

If settings are enforced in a parent policy, the settings at the child policy level do not apply.

For example, an administrator wants to use policies to accomplish the following goals:

  • Set the same Internet address format for all users
  • Set users in Renovations/Sales to be roaming users
  • Set a custom mail template for employees in Renovations/Sales
  • Set a 24-month certification expiration for permanent employees
  • Set a 6-month certification expiration for temp
  • Control who has what level of access to the Widgets and Live Text feature
  • Control who can install additional Notes® third party features and plug-ins
  • Control who can perform user-initiated feature update in Notes®

To accomplish the goals in the previous list, the administrator would create the following policies:

  • An organizational policy for all Renovations employees (*/Renovations) that includes a registration policy settings document that specifies the Internet mail format and other default settings that will populate the registration dialog. These default policy settings include a 24-month certification expiration period.
  • An organizational policy for Sales/Renovations (*/Sales/Renovations) that sets roaming options and specifies a custom mail template.
  • An explicit policy for temporary employees that specifies a 6-month certification expiration. When temporary employees are registered, this explicit policy is applied along with the organizational policy that correlates to the organizational unit in which the employees are registered.