Access policies are rules that are created in CA EEM and attached to CA Configuration Automation users and user groups to define access rights for CA Configuration Automation features. CA EEM matches identities and resource classes to determine whether policies apply to users.
The Access Management tab page contains a link to the Policies page. On the Policies page, you can search, view, create, and edit access policies.
The application sorts policies in the tree by the policy type and displays them under the following tabs:
Permits the identities with the specified access rights to the specified resources when the policy evaluates to "true."
Prevents the identities with the specified access rights to the specified resources when the policy evaluates to "true."
The application includes the following policy types in addition to application-specific access policies:
Enables the users to delegate their authority to other users.
Specifies the policies that use rules to define application-specific groups and their membership.
Determines which events are delivered, and which events are only coalesced into summaries. By using event policies, you can configure which events the application reports about in detail.
Returns required actions to the application after verifying authorization. The obligation policies are application-specific. They contain one or more obligation names and attributes. Your application can use obligation policies to control what actions to perform when access is granted or denied. For example, the application can send an event, start a workflow process, or send an email.
Limits the administrator access to the CA EEM objects, such as policies or a calendar.
Follow these steps:
The CA EEM Home tab opens in the context of CA Configuration Automation.
Note:
Defines the policy name. To prevent display issues, Use only alphanumeric characters.
Describes the policy. For example, you can specify the purpose of the policy.
Specifies the calendar to use during the policy evaluation match phase. If you do not specify a calendar, all days and times match.
Specifies the name of the resource class for which the policy is defined. For example, you can set the resource class name for all delegation policies to safeDelegation and the resource class for all obligation policies to safeObligation. Define new resource classes on the Application Instances page.
Specifies whether the policy explicitly denies the access that the policy specifies and that the Explicit Denies tab displays.
Specifies whether the policy is disabled and is not considered for the match phase.
Specifies whether the policy is considered inactive. If you select the Pre-Deployment check box, the application does not use the policy to verify permissions.
The following fields control the Access Policy Configuration:
Applies the actions and filters to all listed resources.
Specifies that each listed resource has specific actions and zero or one filter.
Specifies that the application applies the actions to specific identities. The application creates a default rule that applies to all identities that are not in the list. The application also marks identity types (user, application groups, global groups, and dynamic groups) with icons.
Note: The application maintains a simple list for the resources, and has no filters for this type of policy.
Defines a list of identities (users, user groups, and global user groups) to use during the policy evaluation match phase. If this list is empty, all identities match.
Specifies the type of identity (User, Application Group, Global Group, or Dynamic Group).
After you select a type, you can specify search criteria such as the attribute, operator, and value and click Search to display matching identities.
Displays the identities that match the specified Type.
Displays the identities to which the policy applies. To move an identity to the Selected Identity field, click the right arrow.
The Access Policy Configuration panel displays the following fields when the selected Type is Access Policy:
Defines which resources to use during the policy evaluation match phase. To designate wildcard characters, use the asterisk (*) at the beginning or the end of the resource name. The product processes asterisks in the middle of the resource class name as literals.
Specifies the actions (one or more of create, update, delete, export, or import) to use during the match phase of policy evaluation. If you do not select an action, all actions match.
Defines the filters to use in the policy evaluation evaluate phase. To define a filter, click Add Filter.
The Access Policy Configuration panel displays the following fields when the selected Type is Access Control List:
Defines a resource to use during the policy evaluation evaluate phase. Enter the resource name, then click the Add icon (+).
Specifies the actions (one or more of create, update, delete, export, or import) to use with the associated resource.
Specifies whether to consider resource names as regular expressions. For example, an identity with access to the resource J*, saved as a regular expression, can access any resource that starts with J.
Defines the filter to which the associated resource name applies. To define a filter, click the pencil icon.
The Access Policy Configuration panel displays the following fields when the selected Type is Identity Access Control List:
Specifies the type of identity (User, Application Group, Global Group, or Dynamic Group).
After you select a type, you can specify search criteria such as the attribute, operator, and value and click Search to display matching identities.
Displays the identities that match the specified Type.
Displays the identities to which the policy applies.
Defines a resource to use during the policy evaluation evaluate phase. This resource has specific associated actions and a filter.
Defines which resources to use during the policy evaluation match phase. To designate wildcard characters, use the asterisk (*) at the beginning or the end of the resource name. The product processes asterisks in the middle of the resource class name as literals.
Specifies whether to consider resource names as regular expressions. For example, an identity with access to the resource J*, saved as a regular expression, can access any resource that starts with J.
The application creates the Access Profile.
|
Copyright © 2013 CA.
All rights reserved.
|
|