AnsweredAssumed Answered

Why isn't there a Permission to Install a Specific Policy?

Question asked by Tomer Sole Expert on Dec 21, 2017

R80 and R80.10 brings permissions per layer. You can delegate the work of adding, removing and editing rules in specific layers - ordered or inline - to specific administrators. See this video for more details: R80.10 Policy Management - Permissions per Layer  

 

One of the questions that we sometimes receive is - what's the point of granular permissions per layer if Install Policy is still an "all or nothing" permission, as in - you can either install any policy you like, or not install any policy at all. 

 

 

The way we see things is: The new R80 Security Management working model is - Publish is now the most important operation that an administrator can do. Gone are the days of planning a change on the side, acquiring the 1 concurrent read-write lock for R7x SmartDashboard, quickly making changes, saving them (otherwise work doesn't get sent to the Management Server) and installing the policy to complete the change. With R80 and above, you can stage your changes inside SmartConsole while other people prepare their own changes, in parallel. The locks mechanism lets you get rid of external change planners, if you want. There is no save button, because the changes are automatically saved, but they remain as private changes as long as you don't publish them.

 

Install Policy will only install what has been published. This could be multiple published sessions by different administrators. But it will not install changes which are pending a publish operation.

 

By publishing their changes, the administrators put their changes "on the shelf" for the next install policy. If you don't want your changes to be installed soon - don't publish them. Use the History Pane to  Review the changes in your current session . 

 

This makes the Install Policy process something a dedicated person can do at a given time window - install policy and monitor its progress. You can also make this an automatic cron job using the Management API. 

 

To summarize, with R80 we moved the "critical operation" away from "install policy" and towards "publish". 

 

Hope this helps

Outcomes