Single Sign-On Service › SSO Policy Server Configuration Guide › Implementing Policy-based Security › Identity Management Roles and Access Control

Identity Management Roles and Access Control

Integrating with Identity Management lets you can implement policy–based access control using Identity Management roles. These roles enable centralized management of user privileges in external applications.

Note: For more information about configuring the integration, see the CA Identity Manager documentation.

The integration requires:

• The Policy Server installation includes the required data definitions for the CA Identity Manager integration at the following location.

  siteminder_home\xps\dd
  

  siteminder_home

  Specifies the Policy Server installation path.

• The name of the file is:

  IdmSmObjects.xdd
  

  Important! Do not import this file in to the policy store until you have completed the Identity Management integration. If you import the data definitions before completing the integration, the Policy Server can reach an indeterminate state. Coordinate the integration with your Identity Management administrator.

• Identity Management administrators manage environments and roles in Identity Management to determine user access to the applications that CA SiteMinder® secures. The CA SiteMinder® CSP console refers to these environments as an IDM environment.

  Note: For more information about environments and roles, see the Identity Management documentation.

• CA SiteMinder® administrators use the CSP console to associate one or more IDM environments to a policy domain and user directory. A CA SiteMinder® administrator cannot create or manage an IDM environment.
• CA SiteMinder® administrators use the CSP console to create a policy and associate one or more roles that are available to the IDM environments. A CA SiteMinder® administrator cannot create or manage a CA Identity Manager role.

  Note: You cannot apply a Identity Management role to an enterprise management application.

CA SiteMinder® can also provide details about entitlements that a Identity Management user has in protected applications. As the following figure illustrates, a CA SiteMinder® administrator associates a response with an access rule in the policy. The response contains a response attribute that specifies a CA SiteMinder®–generated user attribute.

The CA SiteMinder®–generated user attribute retrieves task information from Identity Management. The Policy Server passes this information to the web agent as an HTTP header variable or a cookie. The web agent makes the header variable or cookie available to the protected application for fine–grained access control.