IMO, I would prefer first solution in which any conflict arises, we choose the feature in highest priority policy to be in the composite policy. I think it is a simple solution which can implemented easily and end-user can understand easily.
I am -1 with implementing a policy conflicts resolution mechanism, because of the complication it has. First, policies are just syntaxes without any meaning (semantic) to the system. Semantic of the policy comes from a user (mostly administrator). Because only human understand the company hierarchy and structures. It is a human who gives a meaning to the role such as who is a developer or a leader. In the implementation of the policy, it does not have this details, it has rules as roles which are represented by strings. Second, until a device details are provided to the policy engine, it does not know the combinations of the policies which would be merged together to get the single effective composite policy. The composite policy will be calculated after policy engine evaluate all the available policies with provided rules. Rules can be related to roles, users, device types, specific devices, temperature, speed, location of the device, time etc... A policy could have more than a single rule, such as a policy could have rules related to two roles, location of the device, time of the day. And apart from that, EMM would accommodate thousands of devices. Third, Our next approach of policy implementation will be real time policy changes depending on geo-location and time. When that happens, policy engine will not be able to pick up the conflicts until those rules are fulfilled by the devices. Let's assume that we have a policy which should be applied to certain devices at certain time on a certain location. Until devices is carried to that location at that time, this policy will not be evaluated as a candidate for the composite policy. Therefore it is hard to predict which combination of the policy will be applied to devices and which policies will be in conflicts and then ask administrator to change them when we detect conflicts. And with the complications it would present to the end-user in understating how policy management work, I am not able to justify the value it would add to the product. Therefore my personal opinion is to go with the simple solution which would make it easier to implement and easier to understand. So I am +1 for the first approach. In that approach administrator should prioritize the policies according to the company hierarchy. Policies for higher company positions should have highest priorities. And wise versa, for lowest positions should have lowest priorities. Then in any conflicting scenario would be resolved by selecting the feature from the highest priority policy. Thanks Geeth On Wed, Sep 7, 2016 at 11:30 PM, Supun Wanniarachchi <[email protected]> wrote: > Hi All, > > Existing CDMF device management policy enforcement implementation in EMM > supports applying only one policy upon devices based on an > administrator-defined priority order. > > For instance, assume an instance where two policies (mentioned below) are > supposed to be applied on managed devices. > > 1. Disable camera on all android devices -> Policy_B > > 2. Disable wifi on all android devices which belong to role "user-group A" > -> Policy_A > > > If we take an android device which belongs to a user in user-group A, > ideally, both the aforementioned policies should be applied on the said > device. But due to the limitations in existing policy implementation, only > the Policy_B (First policy in the priority list) will be applied as that’s > what’s been prioritized by the policy priority order. > > New Feature for Composite Device Management Policies: > > This new feature helps merge discrete policies together and get composite > effective policy without any conflicts. It should be enhanced further to be > able to merge several of such discrete policies together (i.e camera > disable, wifi disable) and enforce a composite effective policy upon > managed devices. > > But considering the above example there will be conflicting situation > happen when we are going to merge these policies. > > 1. Disable camera on all android devices -> Policy_B (Android, BYOD) > > 2. Enable camera on all devices which belong to role "user-group A" -> > Policy_E (Android, ANY) > > In this case, it’s hard to find what’s the exact operation apply to the > device when we are creating effective policy. Previously there was not > this kind of situation because only applied one policy using policy > priority order. Get rid of this issue we can do policy merging task as two > different ways(Proposed suggestion 1, Proposed suggestion 2). > > *Proposed suggestion 1*: > > [image: emm2.jpg] > > - > > Use existing priority order and get the first applicable policy if > there’s any conflict situation. > - > > Merge several of such discrete policies together and enforce a > composite effective policy to the device. > > > *Proposed suggestion 2*: > > [image: emm.jpg] > > > > - > > User can add any number of policies for different ownership, role or > user and save. Without using using existing priority order. > - > > But when we are doing “Apply changes to devices” event, it works as > above diagram. > - > > Restrict to apply two conflicting policies for one device. If there’s > any conflicts, use the Resolution Mechanism for avoid these issues. > > > Resolution Mechanism for conflicts policies > > > - > > Mainly check the feature level of each policies. (i.e > Passcode,Restriction,Wifi,VPN). Check feature by feature if there’s > any conflicts(Features has different role sets). > > > - > > Display conflicts policy details separately and allow user to change > the applicable policy of that particular role/user. > > > In PDP there’s no any conflicts for both Proposed suggestion 1 and 2. > Check whether which device get the effective policy and do policy merging > process. Finally apply that effective policy for the device. > > I think *Proposed suggestion 2* is more effective way and Please share > your thoughts on this. > > > -- > Supun Wanniarachchi > Intern > WSO2, Inc. > > *Lean . Enterprise . Middleware * > Mobile: +94 716326119 > Blog: http://blog.supun.me > [image: https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97] > <https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97> > > -- *G. K. S. Munasinghe* *Senior Software Engineer,* *WSO2, Inc. http://wso2.com <http://wso2.com/> * *lean.enterprise.middleware.* email: [email protected] phone:(+94) 777911226 <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
