Access control uses a
hierarchical policy-based implementation that complements multitenancy. Just as
you create a domain hierarchy, you can create a corresponding hierarchy of
access control policies. A
control policy inherits rules and settings from its direct
That base policy may have its own parent policy from which it inherits rules
and settings, and so on.
An access control
policy’s rules are nested between its parent policy’s Mandatory and Default
rule sections. This implementation enforces Mandatory rules from ancestor
policies, but allows the current policy to write rules that preempt Default
rules from ancestor policies.
You can lock the
following settings to enforce them in all descendant policies. Descendant
policies can override unlocked settings.
Intelligence — Blacklisting and whitelisting connections based on the latest IP
address, URL, and domain name reputation intelligence.
pages — Displaying a custom or system-provided response page when you block a
user's website request.
Advanced settings — Specifying associated
subpolicies, network analysis settings, performance settings, and other general
Although an access
control policy can inherit its default action from an ancestor policy, you
cannot enforce this inheritance.
Inheritance and Multitenancy
In a typical
multidomain deployment, access control policy hierarchy corresponds to domain
structure, and you apply the lowest-level access control policy to managed
devices. This implementation allows selective access control enforcement at a
higher domain level, while lower-level domain administrators can tailor
deployment-specific settings. (You must use roles, not policy inheritance and
enforcement alone, to restrict administrators in descendant domains.)
For example, as a
Global domain administrator for your organization, you can create an access
control policy at the Global level. You can then require that all your devices,
which are divided into subdomain by function, use that Global-level policy as a
administrators log into the
to configure access control, they can deploy the Global-level policy as-is. Or,
they can create and deploy a descendant access control policy within the
boundaries of the Global-level policy.
Although the most
useful implementation of access control inheritance and enforcement complements
multitenancy, you can create a hierarchy of access control policies within a
single domain. You can also assign and deploy access control policies at any