Policy Server Guides › Policy Server Configuration Guide › Implementing Policy-based Security › CA Identity Manager Roles and Access Control

CA Identity Manager Roles and Access Control

Integrating with CA Identity Manager lets you can implement policy–based access control using CA Identity Manager roles. These roles enable centralized management of user privileges in external applications.

Note: For more information about configuring the integration, see the CA Identity Manager documentation.

The integration requires:

• The Policy Server installation includes the required data definitions for the CA Identity Manager integration at the following location.

  siteminder_home\xps\dd
  

  siteminder_home

  Specifies the Policy Server installation path.

• The name of the file is:

  IdmSmObjects.xdd
  

  Important! Do not import this file in to the policy store until you have completed the CA Identity Manager integration. If you import the data definitions before completing the integration, the Policy Server can reach an indeterminate state. Coordinate the integration with your CA Identity Manager administrator.

• CA Identity Manager administrators manage environments and roles in CA Identity Manager to determine user access to the applications that SiteMinder secures. The SiteMinder Administrative UI refers to these environments as an IDM environment.

  Note: For more information about environments and roles, see the CA Identity Manager documentation.

• SiteMinder administrators use the Administrative UI to associate one or more IDM environments to a policy domain and user directory. A SiteMinder administrator cannot create or manage an IDM environment.
• SiteMinder administrators use the Administrative UI to create a policy and associate one or more roles that are available to the IDM environments. A SiteMinder administrator cannot create or manage a CA Identity Manager role.

  Note: You cannot apply a CA Identity Manager role to an enterprise management application.

SiteMinder can also provide details about entitlements that a CA Identity Manager user has in protected applications. As the following figure illustrates, a SiteMinder administrator associates a response with an access rule in the policy. The response contains a response attribute that specifies a SiteMinder–generated user attribute.

The SiteMinder–generated user attribute retrieves task information from CA Identity Manager. The Policy Server passes this information to the web agent as an HTTP header variable or a cookie. The web agent makes the header variable or cookie available to the protected application for fine–grained access control.