This topic provides an overview of using rules to write organization Illumio CloudSecure policies. Organization policies are guardrail policies that prevent application policies from allowing undesired traffic, or that are additive to application policies allowing desired traffic. An organization policy can exist all by itself, but these policies are also evaluated during policy computation for any application policy.
For an overview of the Illumio CloudSecure policy model, see CloudSecure Policy Model. For a list of resources against which you can write policy, see Resources that Support Policy.
In order to write policy, you must create rules for the policy. Illumio CloudSecure has the following rule types for organization policies:
-
Allow Rules
You can write rules that allow communication between sources and destinations. For example, if you have Allow Rule A in an organization policy and Allow Rule B in application policy, they will be combined and become Rule A and B for the application rule. Use cases examples include instances where:
-
You want to allow SNMP traffic between two applications even if there are no such specific application policies with that allow rule
-
You want to have an organization-wide allow rule that is more inclusive than present application policy allow rules dictate
-
-
Override Deny Rules
This rule type is typically used to deny communication between sources and destinations that might inadvertently be given with allow rules created by another CloudSecure administrator. Override deny rules take precedence over all other types of rules, including organization policy allow rules. Use cases include instances where you do not want organization or application policies:
- Allowing development to talk to production
- Allowing public access to a database
- Allowing SSH anywhere
- Allowing Telnet anywhere
Differences between Organization and Application Policies
You can think of organization policies as guardrail policies that might need to be applied across your infrastructure. See Organization Policy versus Application Policy for information.
Unlike application rules, you do not start writing organization policy from an application seen in the Applications left navigation menu. Instead, go to the Policies > Organization Policies tab and click Add to begin. For instructions on creating rules for organization policies, see the pop-ups in the CloudSecure GUI.
Once you have saved your rule for the organization policy, the rule automatically enables, and the Provision Status column will have a green Pending icon. The Policies > Organization Policies tab will also show a green Pending icon in the Provision Status column. Depending on what you are doing to a given policy the icon may be red, green, or blue. See Pending Icon Color Codes.
Pending Icon Color Codes
| Color | Meaning |
|---|---|
| Red | Deletion pending |
| Blue | Update pending |
| Green | Addition pending |
Guidelines, Permitted Combinations, Provisioning, and Caveats
These concepts for writing organization policy override deny rules are virtually the same as for application policies. See Writing Application Policy for information.