Access Control Policies
An Access Control Policy determines who can access the files and data blocks on the DataControl-encrypted data disks associated with the policy. The default permission is "Deny", so as soon as you associate an Access Control Policy with an encrypted disk, the data on that disk is inaccessible to everyone except the users and groups who have explicit "Allow" permissions in the policy rules.
The first time you associate an Access Control Policy with a disk, KeyControl sends the policy information to the VM at the VM's next heartbeat. At that time, the HyTrust DataControl Policy Agent verifies that all local user account entries in the policy's permissions list are valid. If they are, the Policy Agent enables the Access Control Policy on the disk. If not, the Policy Agent raises an alert describing the problem and does not enable any access controls on the disk.
Note: For Windows, the permissions list can also contain Active Directory (AD) users and groups which are validated when the AD accounts are added to the permissions list. If a policy's permissions list contains AD accounts that have since been removed from AD, the Policy Agent ignores the non-existent accounts and implements the rest of the Access Control Policy.
The permissions lists for an Access Control Policy are stored in the Access Control Rules defined for that policy. For details, see Access Control Rule Types.
Linux Access Control Policy Maintenance
Whenever you change a Linux Access Control Policy in KeyControl, KeyControl sends the changes to each associated Linux VM on the VM's next heartbeat. At that time, the Policy Agent verifies the new permissions list. If any local user account entries are not found, the Policy Agent raises an alert and continues to use the old permissions list for the VM.
The old permissions list remains in effect until a Cloud Admin changes the Access Control Policy in the KeyControl webGUI and the new permissions list is validated by the Policy Agent.
Windows Access Control Policy Maintenance
Whenever you change a Windows Access Control Policy in KeyControl, KeyControl sends the changes to each associated VM on the VM's next heartbeat. At that time, the Policy Agent verifies the new permissions list. If any local users account entries are not found, the Policy Agent raises an alert and continues to use the old permissions list until the VM reboots. At that time, if the permissions list still contains invalid local accounts, the Policy Agent raises an alert and does not enable any access controls on the disk.
Whenever a Windows VM reboots, regardless of whether there have been any changes to the associated Access Control Policies, the Policy Agent re-verifies the entries in the each policy's permissions list on each protected disk. If all of the local user account entries are still valid for an individual disk, the Policy Agent enables the Access Control Policy on the disk. Otherwise, the Policy Agent raises an alert and does not enable any access controls on the disk.
As with the initial policy application, if a policy's permissions list contains AD accounts that have since been removed from AD, the Policy Agent ignores the non-existent accounts and implements the rest of the Access Control Policy.
