The ENC Authorization Rules configuration view lets you view or edit ENC tables and their associated contents. The ENC Authorization component uses these tables to enforce permissions and access control for all communications and operations in the ENC environment.
Note: Unlike other policy groups, there is no direct access to the underlying ENC authorization tables from the configuration policy editor, that is, the dynamic Setting Properties and Modify Properties dialogs. Therefore, you must use the ENC Authorization Rules configuration view, which handles inter-table dependencies and provides pre-commit evaluation of the specified rules.
This view consists of a main dialog, ENC Authorization Rules, with five tab pages—one each for the configuration policies associated with the following tables:
This table defines the realms in use within the ENC infrastructure. The other tables cross-reference this table when choosing a realm as a security principal or a secured object. The table accepts a name and a set of optional notes about the realm entry.
This table defines the security objects (principals) that are mapped to given realms. Each individual entry can be marked as enabled or disabled for operational purposes.
For name (URI) mapping, this table defines the authenticated objects that are mapped to a given realm. The type can be either an Exact Match—the URI is fully specified—or a Pattern Match, where a regular expression is used to define a pattern to match. In most cases, a pattern match is most applicable as the identity certificates should be issued to an organization or organizational unit that can be unambiguously identified.
Note: ENC uses Perl Compatible Regular Expressions (PCRE) for the pattern matching functionality. For more information, see the http://www.pcre.org web site.
All Access Control Entries (ACEs) can be made active or inactive at a given time, date, or date range. In this table you define the time ranges that suit your needs. A simple example would be for the working week, where you might define a time range from 09:00-17:00, select Normal Weekdays, and then select Monday through Friday.
Another example may be that you want to lock down access on certain holidays or for maintenance. In this case, you would select Special Dates and enter the year, month, and day. For each of these fields, the number 0 (zero) represents a wild-card match, so 0/7/4 (Y/M/D) would match the 4th of July for all years.
This table defines the Timed Access Control Entries (TACEs) and is collectively known as the Timed Access Control List (TACL). A TACE is the rule that controls access from a Security Principal to a Secured Object given one or more specified operations (Events). Each entry can be individually enabled or disabled.
The security principal can be defined using an exact match of a URI for the most granular matching, a pattern matched URI for slightly less granularity, or a predefined realm name for least granular control.
Similarly, the secured object can be an exact URI match, a pattern matched URI, or a predefined realm. The Time Range field (cross-referenced to the Time Ranges table) defines when this rule is active. The Access Type field determines whether this rule should be used for denying access or allowing access; deny type rules are checked before explicit allow type rules.
Finally, the Name field is used to name the rule. This can be a mnemonic name or anything you require, although it should be unique in the list. This allows auditing of the rules application to be unambiguously recorded.
This table defines a white list of IP addresses or IP address ranges that are allowed to establish a transport connection with the ENC Gateway infrastructure machines. The IP addresses can be literal, that is, fully specified (Exact Match) or specified as a regular expression (Pattern Match) for IP address ranges.
Note: See the Implementation Guide for an expansive overview of the terms and usage of authorization within the ENC environment.
The basic steps for using the ENC Authorization Rules configuration view are as follows:
If there are no authorization rules configured to allow a specified event to occur, then access will be denied for that event. Note that initially no rules are defined, hence all access is denied.
|
Copyright © 2013 CA.
All rights reserved.
|
|