The following process lists the steps for configuring a policy.
Note: You can also create policies using the Scripting interface for Perl. For more information, see the Programming Guide for Perl.
Follow these steps:
Create a policy by adding it to a new or existing domain. Policies define relationships between users and resources.
Follow these steps:
Note: This setting requires additional configuration at the Policy Server and the agent. For more information, see the knowledge base document titled Scenario: Require Re-Authentication for Sensitive Resources.
The Modify domain Task is submitted for processing.
You can add individual users, user groups, or both to a policy and create a policy binding between the added users and the policy. When a user tries to access a protected resource, the policy verifies that the user is part of its policy binding and then fires the rules included in the policy to see if the user is allowed to access the resource.
Follow these steps:
From within each user directory group box, you can choose Add Members, Add Entry, Add All. Depending on which method you use to add users to the policy, a dialog box will open enabling you to add users.
Note: If you select Add Members, the User/Groups pane opens. Individual users are not displayed automatically. Use the search utility to find a specific user within one of the directories.
You can edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.
The User Directories page reopens and lists the new users..
The task of binding users to the policy is complete.
Rules indicate the specific resources included in a policy and whether to allow or deny access to the resources when the rule fires. Responses indicate the actions you want to occur when the rule fires.
Note: Add at least one rule or rule group to a policy.
Follow these steps:
The Rules page opens.
The Available Rules pane opens.
The Rules section lists the added rules and groups.
Note: To remove a rule or rule group from a policy, click the minus sign (-) to the right of the rule on the Rules section. To create a rule, click New Rule on the Available Rules pane.
You can associate a response or response group with a rule in a policy. When the rule fires, the associated response also fires.
Follow these steps:
The Available Responses pane opens and lists the responses and response groups that have been configured for the policy domain.
The response opens in the Rules group box, and is associated with the respective rule.
Note: If the response you require does not exist, click New Response to create the response.
You can associate a rule with an existing global response.
Follow these steps:
The Available Responses pane opens.
Note: Global responses, responses, and group responses are listed in that order on the Available Responses pane.
The Rules group box reopens, and the selected response is added to the rule.
The Modify Policy Task is submitted for processing.
You can create a Boolean expression and add it to a policy. Boolean expressions operate on variables, and the values of the variables at the time that the policy is processed affect the outcome of the processing. Thus, Boolean expressions influence policy decisions.
Follow these steps:
The condition is added to the Infix Notation group box.
Note: To create multiple conditions, repeat this step.
The Modify Policy task is submitted for processing.
Adding a confidence level to a policy lets you apply the results of an RiskMinder risk score evaluation to an authorization decision. Using an active expression limits the confidence level to only those resources (rules) bound to the policy. For RiskMinder risk scores, lower numbers indicate less risk and a safer transaction. For CA SiteMinder® confidence levels, higher numbers indicate less risk and a safer transaction.
Follow these steps:
smriskactiveexpr
CheckConfidenceLevel
The confidence level is applied to the resources (rules) bound to the policy.
If CA SiteMinder® is integrated with a CA IdentityMinder, a CA IdentityMinder role is available for use in policies. Roles let the Policy Sever make authorization decisions for users who are members of CA IdentityMinder roles.
Follow these steps:
The CA IdentityMinder roles are added to the policy.
If a user who is a member of an excluded CA IdentityMinder role tries to access a protected resource, the Policy Server:
Follow these steps:
The CA IdentityMinder roles are excluded from the policy.
The Administrative UI allows you to exclude a user or group of users from a policy. This feature is very useful if you have a large user group that should be included in a policy, but you want to exclude a small subset of the group from the policy.
Follow these steps:
The User Directories page re-opens showing the user or group you chose, along with an Exclude button.
A check mark appears to the right of the user or group in the Current Members list to indicate that the user or group is excluded from the policy. An Include button replaces the Exclude button.
When you exclude a group from a policy, the exclusion indicates that anyone included in the policy who is a member of the excluded group (or the specifically excluded user), is not included in the policy. For example, if a policy contained the group Employees, and the excluded group Marketing, anyone who is a member of the Employees group, and not part of the Marketing group is included in the policy.
Your changes are submitted. The user or group will be excluded from the policy.
LDAP user directories can contain groups that contain other groups. In very complex directories, a hierarchy of nested groups is one way to organize tremendous amounts of user information.
For each LDAP user directory, you can specify that the policy allow nested groups. When nested groups are allowed in an LDAP directory, each user group in the directory and all sub-groups are searched when the policy is processed. When nested groups are not allowed, each user group in the directory is searched, but no sub-groups can be searched, when the policy is processed.
To allow nested groups in a policy that contains an LDAP user directory
The User Directories page opens, containing sections that correspond to the user directories associated with the policy domain.
The Modify Policy Task is submitted for processing, and nested groups are allowed for the specified LDAP user directories.
The AND Users/Groups check box lets you restrict authorization to users who are members of more than one user group or to a particular user who is a member of one or more user groups. When adding individual users and user groups in a user directory to a policy, you can specify AND relationships between them by selecting the check box. Alternately, you can specify OR relationships between them by clearing the check box.
When you specify AND relationships and apply the resulting policy to a user, the user must meet the following requirements to be authorized:
Note: A user who is excluded from the policy or is a member of a group that is excluded from the policy cannot be authorized.
Example: Assume that User1, Group1, and Group2 are all bound to a policy and that AND relationships are specified. In this case, test_user must be User1 and a member of Group1 and Group2 to be authorized.
Example: Assume that User1, User2, and Group1 are all bound to a policy and that AND relationships are specified. In this case, test_user cannot be both User1 and User2. Therefore, test_user cannot be authorized.
Important! Do not add two or more individual users to a policy and specify AND relationships. Because no single user can be more than one individual, the policy always fails.
To specify both AND and OR relationships, choose one of the following configurations:
In this configuration, two or more user directories are available to a single policy. The relationship between individual users and user groups in a single directory can be AND or OR. The relationship between individual users and user groups in different directories is always OR.
Example: There are two user directories and a single policy. In each directory, there are two user groups, and an AND relationship is specified. Assume that Directory1 contains Group1 and Group2 and that Directory2 contains Group3 and Group4. In this case, test_user must be a member of Group1 and Group2 or a member of Group3 and Group4 to be authorized.
This can be expressed logically as follows:
Directory1(Group1 AND Group2) OR Directory2(Group3 and Group4)
Use Case: There are two user directories and a single policy. Directory1 contains the user groups Facilities and Human_Resources, and an AND relationship is specified. Directory2 contains the user groups Marketing and Sales, and an OR relationship is specified. In this case, the user must be a member of Facilities and Human_Resources or a member of Marketing or a member of Sales to be authorized. This can be expressed logically as follows:
Directory1(Facilities AND Human_Resources) OR Directory2(Marketing OR Sales)
In this configuration, two or more policies in a shared domain have access to a single user directory. The relationship between individual users and user groups in the user directory can be AND in one policy and OR in another policy. The relationship between different policies in a shared domain is always OR.
Example: There are two policies and one user directory. The user directory contains four user groups. Assume that Group1 and Group2 are bound to Policy1 and that Group3 and Group4 are bound to Policy2. AND relationships are specified between the user groups in both policies. In this case, test_user can be authorized by the application of Policy1 or Policy2. This can be expressed logically as follows:
Policy1(Group1 AND Group2) OR Policy2(Group3 AND Group4)
Use Case: There are two policies and one user directory. The user groups Human_Resources, Marketing, and Sales are bound to Policy1, and an OR relationship is specified. The user groups Facilities and Human_Resources are bound to Policy2, and an AND relationship is specified. In this case, the user must be a member of Human_Resources, Marketing, or Sales or a member of Facilities and Human_Resources to be authorized. The second policy only authorizes members of Facilities who are also members of Human_Resources.
This can be expressed logically as follows:
Policy1(Human_Resources OR Marketing OR Sales) OR Policy2(Facilities AND Human_Resources)
The AND Users/Groups check box lets you restrict authorization to users who are members of more than one user group or to a particular user who is a member of one or more user groups. When adding individual users and user groups in a user directory to a policy, you can specify AND relationships between them by selecting the check box. Alternately, you can specify OR relationships by clearing the check box.
When you specify AND relationships and apply the resulting policy to a user, the user must meet the following requirements to be authorized:
Important! Do not add two or more individual users to a policy and specify AND relationships. Because no single user can be more than one individual, the policy always fails.
To specify AND relationships between a user and one or more user groups or between multiple user groups in one user directory
The User Directories page opens, and each user directory is displayed in a separate section.
The task is submitted for processing.
In addition to using the Available Members list in the Policy Users/Groups Dialog to specify the users and groups to include in a policy, you can specify a user or search string in the Manual Entry group box.
Follow these steps:
The search window appears.
A list of policies appears.
The Modify Policy: Name pane appears.
The user directories associated with the domain appear in the User Directories group box.
Manual Entry Field
Specifies a search filter for the Active Directory user directory.
Validate Entry Check Box
Specifies whether the search filter is validated before the entry is added to the Active Directory user directory.
Note: If validation of the Active Directory search filter fails, clear this check box.
Default: Selected
Validate DN
Locates the DN in the directory.
Search Users
Limits search to matches in user entries.
Search Groups
Limits search to matches in group entries.
Search Organizations
Limits search to matches in organization entries.
Search Any Entry
Limits searches to matches in user, group, and organization entries.
Note: For Microsoft SQL Server and Oracle, you can type a SQL query in the Manual Entry field instead of a user name.
Example: SELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;
The Policy Server executes the query as the database user specified in the Username field in Credentials and Connections for the user directory. Before constructing the SQL statement for the Manual Entry field, become familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema and want to add specific users, you could select from the SmUser table.
Note: For an LDAP directory, you can enter "all" in the Manual Entry field to bind the policy to the entire LDAP directory.
The Administrative UI adds the user or query to the Current Members list.
You can enhance the Policy Server’s authorization performance for users stored in LDAP user directories by limiting the role-based authorization to a specific user record rather than the user’s role, as follows:
To enhance the policy server’s performance
The User Directories pane opens and contains the group boxes that correspond to the user directories associated with the policy domain.
The Users/Groups pane opens and lists the users and groups in the selected user directory.
Specifies a user attribute name and value pair.
Specifies a CA SiteMinder® expression.
A list of directories appears.
The Users/Groups pane closes and the User Directories pane appears. The directory you selected appears in the group box.
The User Directory Search Expression Editor appears.
The User Directory Search Expression Editor closes. The Policy Server’s LDAP search is done within the context of the current user and not in the LDAP server’s base DN. This optimization decreases the load on the LDAP server and Policy Server, which allows quicker authorization responses.
Bind an LDAP search expression to a policy in a policy domain that contains connections to an LDAP user directory using the User Directory Search Expression Editor. A search expression can bind users to a policy based on attributes that appear in user, group, and organization profiles.
Follow these steps:
The user directories that are associated with the domain appear in the User Directories section.
The expression appears in the user directory table.
By default, policies are enabled when they are created. If a policy is enabled, its rules fire when users attempt to access the resources that those rules specify.
If you disable a policy, the rules that are contained in the policy still fire but no user is authorized. Any resources that are specified in rules that are contained in the policy are still protected. Users cannot access resources that are associated with the rules specified in the policy until you enable the policy. However, if another enabled policy allows access to a resource in the disabled policy, users that are associated with the enabled policy can access the resource.
Follow these steps:
If the check box is selected, the policy is enabled. If the check box is cleared, the policy is disabled. A disabled policy does not fire.
The policy is saved.
You can use the following advanced features when setting up policies in the Administrative UI:
This feature lets you specify certain IP addresses that a user must be using for a policy to fire.
This feature lets you specify times during which the policy fires. If you add a time restriction to a policy, the policy is effectively disabled outside of the specified times.
This feature allows you to invoke a function call in a shared library that is created with the CA SiteMinder® API. The function call determines whether the policy fires.
You can restrict a policy to fire only for users who access the policy resources from a specific:
For example, if a policy that specifies a range of allowable IP addresses, only users who log in in from one of the specified IP addresses are allowed access to the protected resources.
Specify a single IP address to ensure that the policy only fires for users who access the policy resources from the specified IP address.
Follow these steps:
Settings specific to a single host appear.
The IP address appears in the IP Address group box.
Note: If you do not know the IP address, click DNS Lookup and enter a fully qualified host name to look up the IP address.
The policy is saved.
Specify a host name to ensure the policy only fires for users who access the policy resources from the specified host.
Follow these steps:
Settings specific to a host name appear.
The host name appears in the IP Address group box.
The policy is saved.
Specify a subnet mask to ensure the policy only fires for users who access the policy resources from the specified subnet mask.
Follow these steps:
Settings for IP Addresses appear.
Settings specific to the subnet mask appear.
Note: If you do not know the IP address, click DNS Lookup and enter a fully qualified host name to look up the IP address.
The subnet mask appears in the IP Address group box.
The policy is saved.
Specify a range of IP addresses to restrict access to users who attempt to access policy resources from one of the IP addresses that are included in that range.
Follow these steps:
Settings IP Addresses appear.
Settings specific to a range of IP addresses appear.
Note: If you do not know the IP address, click DNS Lookup and enter a fully qualified host name to look up the IP address.
The range of IP addresses appears in the IP Address group box.
The policy is saved.
The Administrative UI lets you add time restrictions to a policy. When you add a time restriction, the policy only fires during the period that the time restriction specifies. If a user attempts to access a resource outside of the period that the time restriction specifies, the policy does not fire.
Say that you create a time restriction for a policy that secures access to a resource, and specifies that the policy can only fire from 9am - 5 pm, Monday - Friday. A user is only authenticated and authorized during the times that are indicated in the time restriction. The resources that the policy protects are not available outside the times indicated.
Note: Time restrictions are based on the system clock of the server on which the Policy Server is installed.
If a policy has a time restriction and the policy contains a rule with a time restriction, the policy fires only during times that both restrictions allow.
For example, if a policy has a time restriction of 9AM to 5PM, and a rule has a time restriction of Monday through Friday, the policy only fires between 9AM and 5PM Monday through Friday.
Add time restrictions to a policy to ensure that the policy only fires at specific times.
Follow these steps:
The Time Restrictions pane appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: Each check box represents one hour. When a check box is selected, the rule fires during that hour, and the rule applies to the specified resources. When a check box is cleared, the rule does not fire during that hour, and the rule does not apply to the specified resources.
The time restrictions are saved.
An active policy is used for dynamic authorization that is based on external business logic. An active policy is included in the authorization decision by having the Policy Server invoke a function in a customer-supplied shared library.
This shared library must conform to the interface specified by the Authorization API, which is available separately with the Software Development Kit.
Follow these steps:
Active policy settings appear.
The policy is saved.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|