Whenever a role needs to be granted (or denied) permission to perform an action, access data, or use fields the policy decision point will use the policies assigned to the active roles to determine appropriate action.
Use Procedure When
There is a new policy which needs to be granted or denied from an existing group
There is a formal request to block types of data or actions from members of an existing group
The legislative or policy environment has changed and policies on roles need to be modified.
Procedure
Before Beginning
Ensure that the policy and role assignment are documented in a knowledgebase
Ensure that the policy has been created
Ensure that the administrative design matches the desired policy assignment (i.e. should this really be an assignment to an existing group, or should it be an assignment to a new group)