Cisco Enterprise Policy Manager: What’s New in v3.2
PDF(92.2 KB) View with Adobe Reader on a variety of devices
Updated:March 18, 2008
On March 14, 2008, Cisco will release the next version of the Cisco Enterprise Policy Manager (EPM), further helping organizations to meet their security and compliance requirements by securing access to sensitive applications and information with innovative, fine-grained controls and visibility, and excellent application and infrastructure support.
• Richer policy expressions for more precise authorization decisions
– You can now set policies with more configurable time and date constraints. For example, you can allow access every Tuesday or allow access every third Wednesday between 3 and 5 p.m.
– Furthermore, you can update cache entries based on time constraints.
– Dynamic role assignments can have explicit inclusive or exclusive assignment of users and groups, providing more flexibility in the definition of dynamic roles.
• More configurable caching and enhanced performance
– You can cache and configure Policy Information Points (PIPs) data with a time-to-live (TTL) value at the PIP level (not attribute level), helping ensure Cisco EPM is using the most current information for policy decisions without negatively affecting performance. Additionally, any cached decision in the Policy Enforcement Point (PEP) or Policy Decision Point (PDP) that is based on expired PIP attributes is automatically invalidated.
– Caching in the .NET PEP has also been improved to help ensure accurate expiration of information based on TTL settings.
– Overall performance of the product has increased with caching turned on or with caching turned off. Detailed performance data, based on testing conducted in the Cisco performance lab, will be available shortly after the release date. The improved performance was achieved through code optimizations and upgrading to faster third-party libraries used in the product.
• Expanded platform support and enhanced Microsoft Office SharePoint PEP
– Cisco EPM is already the leading entitlement management product with the broadest application and platform support. In this release, Cisco EPM has added support for:
IBM DB2 8.2 as an entitlement repository
BEA WebLogic 10.0 as an application server for the Policy Administration Point (PAP) and PDP
SSPI PEP for BEA WebLogic 10.0
JACC PEP for JBoss Application Server 4.0 and 4.2
JACC PEP for IBM WebSphere 6.1
– The PEP for Microsoft Office SharePoint Server 2007 has been enhanced with the ability to:
Perform security trimming of search results
Apply policies to documents in document libraries based on meta-data tags or document properties
Automatically synchronize resources between SharePoint and the PAP at preconfigured time intervals
– These new agents and platforms allow Cisco customers to realize immediate value from their entitlement management investments.
• Enhanced logging and auditing capabilities
– Cisco EPM now logs all PIP attributes used in any authorization decision, helping ensure a complete and trusted audit record for every decision made by the PDP.
– The system also logs dynamic message attributes (such as values entered into fields in a form) used by the PDP to render an authorization decision.
– Cisco EPM also exposes an application programming interface (API) for querying or extracting audit logs from the system, providing customers with a better solution for integrating the logs with an enterprise reporting engine or governance, risk, and compliance (GRC) solution.
You can export administration and runtime audit logs into common formats such as Excel or comma-separated value (CSV).
• Upgraded delegated administration
– Delegated administration is now simplified, and you can assign privileges with a single click. Cisco EPM contains numerous default administrative profiles that you can assign to any delegated administrator, but customers can create additional profiles.
– Furthermore, delegation of administrative privileges can also be constrained based on time, helping ensure administrators have only the necessary entitlements to perform their job function. This feature prevents entitlement "creep" as administrators rotate through temporary assignments or jobs.
• Improved developer support
– This release of Cisco EPM includes completely re-factored and updated administrative and runtime APIs, which allow enterprise and third-party developers to customize the product according to their requirements.
Several new APIs have also been added to facilitate higher levels of customization and provide more efficient interactions with applications.
– The Cisco EPM Developer Guide includes thorough documentation of each API call, including code samples where appropriate.