The ENC Gateway Service Authorization Rules are configured from the DSM configuration policy editor. Unlike other policy sections, there is no direct access to the underlying authorization tables and configuration is provided by a custom view dialog. The dialog handles inter-table dependencies and provides precommit evaluation of the specified rules.
The configuration view is provided across five tabbed views within the configuration dialog. The tabs and their contents are as follows:
This view provides the ability to view or define an ENC realm and add some short notes relevant to the realm.
This view provides the ability to review or define the mapping between authenticated objects and their realm membership. The key field is the authenticated identity as a URI. The URI to realm mapping can be through a fully specified URI which must match exactly or a URI specified as a regular expression to match multiple URIs.
All of the authorization access control in ENC can be time-restricted. This tab view provides the ability to define a time-range for use by individual access control entries. Entries can either be 'normal weekdays', where the time-range applies to one or more days from Sunday to Saturday, or can be 'special dates', such as Independence Day, etc.
The hours for which the time range is valid are specified as a start and end period in 24 hour format, such as "00:00 - 00:00" for a full 24-hour period. The granularity of the time range is 30 minutes, so each entry should use 00 or 30 as the minute value.
This tab provides access to the timed access control entries. Each entry allows you to specify named rules that allow or deny activity (rules designed to deny access have higher precedence than rules that allow). The TACE name is recorded in audit entries and also displayed by the utility command when simulating accesses to test rule-sets. Therefore, it is recommended that you use reasonably descriptive names for each rule where appropriate.
The access control entry can control a single event or be aggregated to control multiple events within a single rule. For each rule, we have a protected resource - the secured object - and an accessing object - the security principal.
This tab provides the IP address white-list table. Each entry can either be a single IP address or an IP address range specified by a pattern matching expression. The infrastructure machines will only accept connections from machines with the specified addresses.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|