After setting a Master Policy that determines how accounts will be managed in the entire organization, you can create exceptions to add granularity as needed and set different behavior for specific platforms that will override the corresponding rules set by the Master Policy. Execptions can be set for a scope of accounts associated with a specific platform. The Master Policy, together with the exceptions defined on each platform, determine the resultant behavior of the system on each account, based on its Platform.

To define more granularity for a specific scope of accounts, such as the Windows PCI accounts, after you define the Master Policy, you can duplicate a Windows platform in Platform Management and define an exception that contains specific rules that are relevant to Windows PCI only. The unique combination of the Master Policy rules together with the exception ensures that each platform is managed exactly according to your needs, with minimum configuration.

Initially, when a user adds an exception, it inherits all values from the Master Policy and these values still adopt any changes made in the Master Policy. However, if a user changes the value of any setting in the exception, either basic or advanced, the new value overrides the value that was inherited from the Master Policy and disconnects the setting value from the Master Policy. To emphasize this, a broken chain icon is displayed next to the ‘disconnected’ setting.

In addition, any changes made in a Master Policy after an exception is created do not affect any settings in the exception that override the Master Policy; they only affect the settings in the exception that inherit directly from Master Policy. This is especially relevant when a rule contains several basic and advanced settings, and some of the exception settings may inherit values from the Master Policy and some override it.

For example, an enterprise decides that users can connect directly to target systems (“Click to Connect”) but can still view passwords when needed (i.e. utilize the “Show” or “Copy” functions). However, the Windows PCI accounts cannot be viewed by users and can only be accessed through the ‘Connect’ button. In this case, an exception will be created for the rule that defines that users can connect directly to target systems on a Windows PCI platform. The basic setting remains without changes (meaning that it inherits from the Master Policy), while the advanced setting that determines that users can view passwords will be disabled, overriding the Master Policy.