4 how it all works, 1 policies, How it all works – HP 3PAR Service Processors User Manual

2.4

How It All Works

3PAR Secure Service Policy Manager User’s Guide

2.4 How It All Works

The Secure Service Collector Server communicates with the Secure Service Custodian by posting

requests for the Custodian and receiving its responses. These can be requests to perform

actions, including uploading files, running applications, restarting, executing packages, setting

data values on the Custodians, and so forth. These requests are discovered by the Custodian

Custodians upon subsequent pings. If a Custodian is managed by the Policy Manager, the

Custodian will first reference its policy to determine whether or not it can perform the action.

Each Custodian is also configured with its own actions. These actions may be configured to

execute based on an internal schedule set in the Custodian, or based on triggering events. If

Policy Manager is in use, some of the Custodian’s own actions will be defined in the related

policy.

2.4.1 Policies

When a Custodian connected to and managed by Policy Manager is presented with a request

to perform an action, it first refers to its policy, as defined by the Policy Manager. A policy is

comprised of a list of actions a Custodian can perform and permissions and rights to perform

each action. A Custodian’s policy determines how the Custodian will handle an action request

and, based on the defined policy, the Custodian will do one of three things:

■

Accept and perform the action.

■

Deny the action.

■

Ask the Policy Manager for permission to perform the action.

The Custodian enforces the policy as set in the Policy Manager and reports its policy-related

activities to the Policy Manager and the Collector Server for auditing reasons.

If a Custodian requests permission to perform an action, per its policy, the Policy Manager

sends an email notification to specified Policy Manager user(s). Based on the email

information, the recipients are informed of the requested action. They need to then accept or

deny the action within a defined timeout period.

■

If the action is accepted, the Policy Manager notifies the Custodian that the action is

accepted. If applicable, the Custodian notifies the Collector Server that the action as

approved, and then it performs the action as requested.

■

If the user denies the action, the Policy Manager sends the action back to the Custodian as

denied. The Custodian notifies the Collector Server that the action was denied.