Previous Topic: How to Require Re-authentication for Sensitive ResourcesNext Topic: Delete a Policy

Policy Server GuidesPolicy Server Configuration GuidePoliciesPolicy Binding Establishment

Policy Binding Establishment

The following sections describe the methods for establishing different types of policy bindings. Supported policy binding types differ based on the type of user directory in which user information is located.

Policy Bindings for LDAP Directories

When CA SiteMinder® authenticates a user, it establishes a user context. Then, access control policy decisions are based on the user context matching one of the criteria that are shown in the following table.

User Namespace

Description

User

The user's Distinguished Name (DN) must match the DN specified in the policy.

User Attribute

The search expression specifying conditions related to user attributes must be true.

User Group

The user's DN must be a member of the user group specified in the policy.

Group Attribute

The search expression specifying conditions related to the group attribute must be true.

Organizational Role

The user must occupy the organizational role specified in the policy.

Organization Unit

The user must be a member of the organizational unit specified in the policy. The Organizational Unit must be a part of a user's DN, group, or role (group and role are not used by default).

Organization

The user must be a member of the organization specified in the policy. The Organization must be a part of a user's DN, group, or role (group and role are not used by default).

Organization Attribute

The search expression specifying conditions related to the organization attribute must be true.

Custom Object Classes

CA SiteMinder® can be configured to associate Policies with custom directory objects.

Generally, you bind users or user attributes to policies on the CA SiteMinder® Policy pane by selecting an entry from the list of available directory entries. Individual users are not visible in the list of available directory entries. However, you can search for specific users within a directory and add the users directly to the policy.

More information:

Add Users to a Policy

Bind Policies to Users with the Manual Entry Field

You can bind individual users to a policy using two methods. The first is by using the Manual Entry field in the CA SiteMinder® Policy Users/Groups dialog. The second is by using the Search feature in the CA SiteMinder® Policy Users/Groups dialog.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the group box with the user directory that you want to search, and then click Add Entry.

    The User Directory Search Expression Editor opens.

  3. Click the Where to Search drop-down list, and then select Search Users.
  4. In the Manual Entry field, specify a user DN.

    For example: uid=JSmith, ou=people, o=myorg.org

    Note: The supplied user DN must match exactly the distinguished name of the user. This feature does not match a subset of information that is contained in the user DN.

  5. Click OK.

    The User Directory Search Expression Editor closes and the user DN you entered appears in the group box of the directory.

  6. Click Submit to save your changes.

More information:

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to Users with the Search Feature

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Members on a user directory group box.

    The Users/Groups pane opens.

  3. Specify search criteria, and click Go.

    A list of users that match the search criteria opens.

  4. Select the users that you want, and click OK.

    The User Directories pane reopens, and the selected users are added to the user directory group box.

  5. Click Submit.

    The Create or Modify Policy task is submitted for processing.

More information:

Search User Directories

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to User Attributes

To bind a policy to user attributes, specify an LDAP search expression that defines conditions related to user attributes that must be true. For example, to bind a policy to all people whose location (l) is westcoast or whose mail address (mail) ends with string.com, insert the following search expression (using a pipe (|) at the beginning) in the Manual Entry field:

(|(l=westcoast)(mail=*string.com))

More information:

Add an LDAP Expression to a Policy

Bind Policies to User Groups

Bind policies to user groups open in the Users/Groups pane.

Follow these steps:

  1. Click the Users tab.

    The user directories associated with the domain open in the User Directories group box.

  2. Click Add Members.

    The Users/Groups pane opens.

  3. Select the user group.
  4. Click OK.

    The User Directories section opens. The respective user directory table lists the user group to which the policy should apply.

Bind Policies to Organizational Roles

When you bind a policy to an organizational role, users must be a member of the role for the policy to fire.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the group box with the user directory that you want to search, and then click Add Entry.

    The User Directory Search Expression Editor opens.

  3. Click the Where to Search drop-down list, and then select Search Users.
  4. In the Manual Entry field, specify an organizational role.
  5. Click OK.

    The User Directory Search Expression Editor closes and the organizational role you entered appears in the group box of the directory.

  6. Click Submit to save your changes.

    The organizational roles are bound to the policy.

Bind Policies to Group Attributes

To bind a policy to group attributes, specify an LDAP search expression that defines conditions related to group attributes that must be true.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the group box with the user directory that you want to search, and then click Add Entry.

    The User Directory Search Expression Editor opens.

  3. Click the Where to Search drop-down list, and then select Search Users.
  4. In the Manual Entry field, specify a group. For example, to bind a policy to all groups located in the state of Massachusetts in the USA, insert the following search expression in the Manual Entry field:

    (&(c=USA)(s=Massachusetts))

  5. Click OK.

    The User Directory Search Expression Editor closes and the group you entered appears in the group box of the directory.

  6. Click Submit to save your changes.

More information:

Add an LDAP Expression to a Policy

Bind Policies to Organization Units

To bind a policy to an organizational unit, specify an LDAP search expression that defines an organizational unit.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the group box with the user directory that you want to search, and then click Add Entry.

    The User Directory Search Expression Editor opens.

  3. Click the Where to Search drop-down list, and then select Search Organizations.
  4. In the Manual Entry field, specify an organization unit. For example, to bind a policy to all people whose organization unit (ou) is marketing, insert the following search expression in the Manual Entry field:

    ou=Marketing

  5. Click OK.

    The User Directory Search Expression Editor closes and the user DN you entered appears in the group box of the directory.

  6. Click Submit to save your changes.

    The organization unit is bound to the policy.

Bind Policies to Organizations

To bind a policy to an organization, specify an LDAP search expression that defines an organization.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the group box with the user directory that you want to search, and then click Add Entry.

    The User Directory Search Expression Editor opens.

  3. Click the Where to Search drop-down list, and then select Search Organizations.
  4. In the Manual Entry field, specify an organization.

    For example, to bind a policy to all people whose organization (o) is myorg.org, insert the following search expression in the Manual Entry field:

    o=myorg.org

  5. Click OK.

    The User Directory Search Expression Editor closes and the organization you entered appears in the group box of the directory.

  6. Click Submit to save your changes.

    The organization is bound to the policy.

Bind Policies to Organization Attributes

To bind a policy to organization attributes, specify an LDAP search expression that defines conditions that are related to organization attributes that must be true.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the group box with the user directory that you want to search, and then click Add Entry.

    The User Directory Search Expression Editor opens.

  3. Click the Where to Search drop-down list, and then select Search Organizations.
  4. In the Manual Entry field, specify an organization attribute. For example, to bind a policy to all organizations located in the state of Massachusetts in the USA, insert the following search expression in the Manual Entry field:

    (&(c=USA)(s=Massachusetts))

  5. Click OK.

    The User Directory Search Expression Editor closes and the organization attribute you entered appears in the group box of the directory.

  6. Click Submit to save your changes.

    The policy is bound to the organization attributes.

More information:

Add an LDAP Expression to a Policy

Binding Policies to Custom Object Classes

You can bind policies to custom object classes that you create with the CA SiteMinder® Software Development Kit.

Policy Bindings for WinNT User Directories

When CA SiteMinder® authenticates a user, it establishes a user context. Then, access control policy decisions are based on the user context matching one of the criteria that are shown in the following table:

User Namespace

Description

User

The user’s user name must match the user name specified in the policy.

User Group

The user must be a member of the user group specified in the policy.

Generally, you bind users to policies on the Policy pane by selecting an entry from the list of available directory entries. However, individual users are not visible in the list of available directory entries.

More information:

Add Users to a Policy

Bind Policies to Users with the Manual Entry Field

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value search feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Entry on a user directory group box.

    The User Directory Search Expression Editor pane opens.

  3. Specify a user DN on the Condition and Infix Notation group boxes.
  4. Click OK.

    The User Directories pane reopens, and the specified users are added to the user directory group box.

  5. Click Submit.

    The Create or Modify Policy task is submitted for processing.

More information:

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to Users with the Search Feature

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Members on a user directory group box.

    The Users/Groups pane opens.

  3. Specify search criteria, and click Go.

    A list of users that match the search criteria opens.

  4. Select the users that you want, and click OK.

    The User Directories pane reopens, and the selected users are added to the user directory group box.

  5. Click Submit.

    The Create or Modify Policy task is submitted for processing.

More information:

Search User Directories

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to User Groups

You can bind a policy to a user group.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Members on a user directory group box.

    The Users/Groups pane opens.

  3. Select a user group.
  4. Click OK.

    The User Directories pane reopens, and the selected user group is added to the user directory group box.

More information:

Add Users to a Policy

Policy Bindings for Microsoft SQL Server and Oracle User Directories

When CA SiteMinder® authenticates a user, it establishes a user context. After, access control policy decisions are based on the user context matching one of the criteria that are shown in the following table:

User Namespace

Description

User

The user’s name must match the user name specified in the policy.

User Group

The user must be a member of the user group specified in the policy.

User Attribute

The search expression specifying conditions related to user attributes must be true.

SQL query

The SQL query specifying conditions related to the user must be true.

Generally, you would bind users or user attributes to policies on the Policy Users/Groups pane by selecting an entry from the list of available directory entries. However, individual users may not be visible in the list of available directory entries (depending on the setup of Query Enumerate in the SQL query scheme for the user directory).

More information:

Add Users to a Policy

Bind Policies to Users with the Manual Entry Field

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value search feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Entry on a user directory group box.

    The User Directory Search Expression Editor pane opens.

  3. Specify a user DN on the Condition and Infix Notation group boxes.
  4. Click OK.

    The User Directories pane reopens, and the specified users are added to the user directory group box.

  5. Click Submit.

    The Create or Modify Policy task is submitted for processing.

More information:

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to Users with the Search Feature

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Members on a user directory group box.

    The Users/Groups pane opens.

  3. Specify search criteria, and click Go.

    A list of users that match the search criteria opens.

  4. Select the users that you want, and click OK.

    The User Directories pane reopens, and the selected users are added to the user directory group box.

  5. Click Submit.

    The Create or Modify Policy task is submitted for processing.

More information:

Search User Directories

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to User Groups

You can bind a policy to a user group.

Follow these steps:

  1. Navigate to Policy, Users.

    A list of the user directories that are associated with the domain opens on the User Directories pane.

  2. Click Add Members on a user directory group box.

    The Users/Groups pane opens.

  3. Select a user group.
  4. Click OK.

    The User Directories pane reopens, and the selected user group is added to the user directory group box.

More information:

Add Users to a Policy

Bind Policies to User Attributes

To bind policies to user attributes, specify a search expression that defines conditions that are related to user attributes that must be true.

For example, to bind a policy to all people whose area code is 555, insert the following expression in the Manual Entry field: (areacode=’555’).