What are Policy Restrictions?
Policy Restrictions can be used to prevent users from accessing other clients' devices, policies, and Catalog items in multi-tenant environments.
Policy Restricted Users
Note that when a user is policy-restricted, certain privileges will be taken away as some actions require full access to all policies in an environment.
A user's current policy restrictions can be viewed on the Account > Users page in the 'Policies' column. If the column reports 'All', the user has access to all policies in the environment.
If the column reports a number, click on the number to review the policies the user is restricted to:
To modify a user's Policy Restrictions, select the three dots in the 'Actions' column for that user ••• > Edit:
Note: To allow a user access to ALL policies, ensure all policies have been deselected (all boxes should be unselected). Selecting all policies (checking all the boxes) will enforce unintended restrictions for the user.
Expected Behavior with Child Accounts
When a user impersonates into a Child Account, any Policy Restrictions set in the Parent environment will be carried over. This implies that Policy Restricted users will not be able to see any policies or devices in the Child Account while impersonating as they have not been granted explicit access to them.
To allow Policy Restricted users access to policies and devices in the Child Account, we recommend creating them a separate user account with a different email (or alias email) in the Child environment to access the account rather than using impersonation.