Previous Topic: Use Cases for Defining Application Security Policies Using Application ObjectsNext Topic: Realms

Policy Server GuidesPolicy Server Configuration GuideDomains

Domains

This section contains the following topics:

Policy Domain Overview

Domains and User Membership

How to Configure a Policy Domain

Add CA IdentityMinder Environments to a Domain

Disable Global Policy Processing for a Domain

Modify a Domain

Delete a Domain

Policy Domain Overview

A policy domain is a logical grouping of resources that are associated with one or more user directories. In addition, policy domains require one or more administrator accounts that can change the objects within the policy domain. Policy domains contain realms, rules, responses, and policies (and optionally, rule groups and response groups). An administrator with the appropriate privileges assigns a policy domain to one or more administrators.

The resources in a policy domain can be grouped in one or more realms. A realm is a set of resources with a common security (authentication) requirement. Rules, which are associated with the realm that contains the resource control access to resources. The following diagram illustrates a small policy domain which contains realms and their associated rules, and a rule group, response group, and a pair of responses.

Graphic showing an example of a domain and the related SiteMinder objects

By grouping realms and rules in a policy domain, you can provide organizations with a secure domain for their resources. In the policies section, you learn how to create policies within a policy domain to control access to the policy domain resources.

In the sample diagram below, a Marketing policy administrator who is specified in the Marketing policy domain can manage the Marketing Strategy and Marketing Projects realms. The policy domain ensures that the Engineering administrator, who does not have administrative privileges to manage the Marketing policy domain, cannot control resources belonging to the Marketing department. However, the Marketing policy domain is associated with a user directory that contains engineering users.

If the administrator for the Marketing department creates a policy within the Marketing policy domain that allows Engineering staff to access the resource Project 2.html, engineering users can access the resource.

Graphic showing an example of users and administrators access domains

More information:

Policies

Domains and User Membership

Besides acting as a container for domain objects, policy domains also connect to user directories. The Policy Server authenticates users based on the requirements of the realm in which the target resource resides. In order to authenticate a user, the Policy Server must find the user directory where a user is defined. The Policy Server does this by locating the policy domain to which a realm belongs. From the policy domain, the Policy Server queries the user directories specified in the policy domain’s search order.

The search order is defined when you add user directory connections to a policy domain. The order in which you add directory connections determines the order that the Policy Server uses to search for a user. For example, if you set up policy domain for a company migrating user data from a WinNT directory to an LDAP directory, and you want the Policy Server to search in the new LDAP directory first, then look in the WinNT user directory, add the LDAP directory connection to the policy domain first, then add the WinNT user directory connection.

How to Configure a Policy Domain

You configure a domain to create a logical grouping of resources with one or more user directories. Configuring a domain requires you to:

Note: You can edit a policy domain’s properties if you need to add a realm in the future.

The following process lists the steps for configuring a new policy domain:

  1. Configure a policy domain
  2. Assign user directories
  3. Create a realm

More information:

Realms

Configure a Policy Domain

You create a policy domain to protect logical groupings of resources.

Follow these steps:

  1. Click Policies, Domain, Domains.
  2. Click Create Domain.
  3. Type the name and a description of the policy.
  4. Add User Directories and Realms.
  5. Click Submit.

    You have defined a policy domain.

More information:

Create a Realm

Assign User Directories

You can add one or more user directories to a policy domain. The Policy Server authenticates users by comparing the credentials that they enter to the credentials that are stored in the user directories. The Policy Server searches the user directories in the same order that they are listed in the policy domain.

Follow these steps:

  1. Click Policies, Domain, Domains.
  2. Specify the search criteria and click Search.

    A list of domains that match the search criteria appears.

  3. Click the name of the domain that you want to modify.
  4. Click Modify.

    The settings and controls become active.

  5. In the General tab, click Add/Remove.

    The Choose user directories page appears.

  6. Select one or more user directories from the list of Available Members, and click the right-facing arrows.

    The user directories are removed from the list of Available Members and added to the list of Selected Members.

    Note: To select more than one member at one time, hold down the Ctrl key while you click the additional members. To select a block of members, click the first member and then hold down the Shift key while you click the last member in the block.

  7. Click OK.

    The selected user directories are listed under User Directories.

    Note: To create a new user directory and add it to the domain, click Create.

  8. Click Submit.

    The selected user directories are added to the policy domain.

Create a Realm

Realms are created in a domain and are associated with a Web Agent. Realms use resource filters to group resources that have similar security requirements and share a common authentication scheme.

More information:

Realms

Configure a Realm with a SiteMinder Web Agent

When you create a domain, you can create one or more realms in the domain and associate them with a Web Agent or Agent group. Realms group resources that have similar security requirements and share a common authentication scheme.

Follow these steps:

  1. Click Policies, Domain, Realms.
  2. Click Create Realm.
  3. Select a domain, and click Next.
  4. Type the name and a description of the realm.
  5. Click the ellipsis button to select an agent.
  6. Select a Web Agent or Agent group, and click OK.
  7. Specify the remaining resource properties.
  8. Create new rules or delete existing rules.
  9. Create new sub-realms or delete existing sub-realms.
  10. Specify the session properties.
  11. Specify the authorization directory mappings and types of events the realm must process.
  12. Click Finish.

    The Realm is created.

More information:

Copy Policy Server Objects

Configure a Realm with a RADIUS Agent

When you create a domain, you can create one or more realms in the domain and associate them with a Radius Agent or Agent group. Realms group resources that have similar security requirements and share a common authentication scheme.

Note: The Administrative UI lets you configure realms protected by a RADIUS Agent. These realms do not require all of the same information that is required for a CA SiteMinder® Web Agent realm.

Follow these steps:

  1. Click Policies, Domain, Realms.
  2. Click Create Realm.
  3. Select a domain, and click Next.
  4. Type the name and a description of the realm.
  5. Click the ellipsis button to select an agent.
  6. Select a RADIUS Agent or Agent group, and click OK.
  7. Specify the remaining resource properties.
  8. Create new rules or delete existing rules.
  9. Specify the session properties.
  10. Click Finish.

    The Realm is created and associated with the selected RADIUS Agent or Agent group.

More information:

Copy Policy Server Objects

Add CA IdentityMinder Environments to a Domain

Adding a CA IdentityMinder environment and the associated user directories to a domain makes available CA IdentityMinder roles to policies.

Follow these steps:

  1. Click Policies, Domain, Domains.
  2. Specify search criteria and click Search to locate the domain you want.
  3. Click the name of the domain to which you want to add the environment.
  4. Click Modify.
  5. If the users that are associated with the environment are not bound to the domain, add the respective user directories.
  6. Click Add/Remove in the IDM Environments section.
  7. Select the IDM Environments you want and click OK.
  8. Click Submit.

    The CA IdentityMinder environments are added to the domain. The roles associated with the environments are available to all policies created in the domain.

Disable Global Policy Processing for a Domain

Global policies let you associate responses with particular resources and events across all domains. By default, global policies apply to all of the resources in a policy domain.

Follow these steps:

  1. Open the domain.
  2. Clear the Global Policies Apply check box, and then click Submit.

    Global policies no longer apply to the resources in this domain.

More information:

Global Policies, Rules, and Responses

Modify a Domain

You can change the name, description, user directory connections and administrators associated with a policy or affiliate domain. All other features of a domain are a result of peripheral configuration.

Delete a Domain

Important! Deleting a domain destroys all of the domain user directories, administrator connections, and objects bound to the domain, such as rules, realms, responses, policies, or affiliates.

It may take a short amount of time for all deleted objects to be removed from caches.