Documenting common privileges
Next to the helper domains, most functionality-driven policies also group privileges that can be assigned to domains. Such privileges could be to not only manage the common resources, but also to extend other domains with functional requirements as managed by the common policy.
All e-mail daemons need to be able to bind to the proper TCP ports, handle user mailboxes, and so on. By bundling these common privileges on the functional policy level, any evolution pertaining to the policy can be immediately granted to all domains inheriting privileges from the functional policy, rather than having to update each domain individually.
How to do it…
Common privileges can be found in a wide variety. How common privileges are assigned depends on the use case. The following method, based on the e-mail server definition in the MTA policy, provides a flexible approach to this:
Create an attribute for the functional domain to which common privileges are granted:
attribute mailserver_domain...