Citrix DaaS™

Policy sets

Policy sets are objects in Citrix DaaS™ that aggregates policies to allow for simplified, role-based access, and easy management. Once created, scopes and delivery groups are assigned to policy sets so that only authorized administrators can manage the policies that apply to their relevant users and machines.

Policy sets help you manage Citrix® policies more efficiently by organizing them into logical groups. When you assign a policy set to a delivery group, the delivery group uses only the policies in that set.

This section explains how policy sets behave, how to create and assign them, and how they interact with scopes and filters.

Benefits

Policy sets offer several key benefits:

  • Role-based access control for distributed administrator teams
  • Simplified mergers, acquisitions, and consolidations
  • Limited fault domain
  • Multitenant support for policies

The following table compares how policies work with and without policy sets:

Without policy sets With policy sets
All policies, settings, filters (assignments), and priorities are managed in one central location. Each policy set has its own settings, filters (assignments), and priorities.
If you manage one policy, you must manage every policy. Full administrators can delegate to lower-level admins the ability to manage a particular policy set on an individual basis.
Policies in large and distributed environments become complex and difficult to manage. Policies in large and distributed environments can be divided and managed easily.

How policy sets work

Policy sets are assigned to delivery groups and scoped to specific administrators. Policies within a set continue to use filters (assignments) to determine which users or machines they apply to.

Key behaviors:

  • Policy sets are assigned to delivery groups
    • A delivery group can use only one policy set at a time.
    • A policy set can be assigned to multiple delivery groups.
    • If a delivery group doesn’t have a policy set assigned, it uses Default Policy Set.
  • Filters on policies still apply, regardless of whether the policy is in a set.
  • A policy set can have one or multiple scopes.
    • A scope represents a collection of objects (for example, connections, catalogs, delivery groups, and application groups) that administrators can manage.
    • As administrators, you can define the scope of the policy set so that only authorized administrators can view or edit it. You can set scopes during policy set creation or when editing the set later.

Policy filters and assignments work the same way as they do without policy sets. For more information, see How do filters get applied.

Enable policy sets

In Studio, go to Settings > Site settings and turn on the Policy sets setting.

Enable policy sets

Note:

  • You must enable policy sets before creating a policy set.
  • When you enable policy sets, all existing policies are grouped into Default Policy Set. This set is automatically assigned to all delivery groups unless you assign a different set. After a new policy set is assigned to a delivery group, that group stops using the default policy set.

Create policy sets

You can create policy sets to mirror logical divisions in your administrator team and company. For example, you can create a policy set for each geographic region, business-unit, or for specific use case.

You can create policy sets in two ways:

Alternatively, you can use the Citrix DaaS REST APIs to create and manage policy sets. For more information, see How to create a policy set in Citrix DaaS.

Create policy sets from scratch

  1. In Studio, select the Policies node in the left pane.
  2. Click the Policies tab.
  3. Select Create Policy Set.
  4. Click the Name and Description tab, and enter the name and description for the policy set.
  5. Click the Assignments tab, and select one or more delivery groups.
  6. Click the Scopes tab, and select the scopes that define the objects that the policy set can apply to.
  7. Click Create to finish.

Clone policy sets

  1. In Studio, select the Policies node in the left pane.
  2. Click the Policies tab.
  3. Select Clone Policy Set.
  4. Update the name of the policy set.
  5. Update or create assignments for the policy set and click Next.
  6. Select or clear policies to include in the cloned policy set.
  7. Update the scope of the policy.
  8. Click Create.
Policy sets