Use eTelligent Rules to define variables that enable fine-grained access-control criteria that are known as policy expressions.
Policy expressions are implemented as policy attributes. They include operators and customer-defined variables that are evaluated at runtime, when a user attempts to access a protected resource on a web site.
Variables can store local information that is within the enterprise or remote information that a web service providess.
The variables that eTelligent Rules provides are available in the Administrative UI. You can define variable objects and can incorporate them into policy logic through policy expressions. You can also include variables in CA SiteMinder® response objects.
eTelligent rules provides the following benefits:
The CA SiteMinder® administrator defines authorization access in policy expressions, using graphical tools rather than application code. It is not necessary to integrate and reconcile backend business application access control information, because that information is centralized in the CA SiteMinder® Policy Server.
Defining access control to secure resources is based on local user information and incoming information, such as the amount of a purchase order that a user places an order.
Web browser forms data, user-context data (stored locally in the Policy Server), and remote data (obtained through a service bureau) can be flexibly combined in policy expressions.
It is not necessary to go back to a backend business application each time authorization is required to access a protected resource.
eTelligent Rules use a standard XML protocol to communicate with trusted service bureaus, thus increasing the choice of web services providers.
CA SiteMinder® security administrators define policy expressions using variables together with logical operators.
Due to the use of policy expressions that are based on logic, fewer policies are necessary, thus keeping policy administration to a minimum.
To configure eTelligent Rules, do the following tasks:
The following properties files are required for eTelligent Rules:
This file is required to configure the JVM for eTelligent Rules. The installed location of this file is: policy_server_home/config/
This file is required to configure logging for eTelligent Rules. The installed location of this file is:
policy_server_home/config/properties
The JVMOptions.txt file contains the settings that the Policy Server uses when creating the Java Virtual Machine that is used to support eTelligent Rules.
If you encounter errors that are related to missing classes, you can modify the classpath directive in the JVMOptions.txt file. For complete information about the settings that are contained in the JVMOptions.txt file, see your Java documentation.
On the Policy Server, the LoggerConfig.properties file allows you to specify logging features that are used when you start the SiteMinder service from a command line. The properties that are contained in this file are not used when the service is started from the Policy Server Management Console. Modify this file to obtain more output for debugging purposes.
The following shows an example of a LoggerConfig.properties file.
// LoggingOn can be Y, N LoggingOn=Y // LogLevel can be one of LOG_LEVEL_NONE, LOG_LEVEL_ERROR, LOG_LEVEL_INFO, LOG_LEVEL_TRACE LogLevel=LOG_LEVEL_TRACE // If LogFileName is set Log output will go to the file named LogFileName=affwebserv.log // AppendLog can be Y, N. Y means append output to LogFileName if specified AppendLog=Y // AlwaysWriteToSystemStreams can be Y, N. // Y means log messages are written to System.out // or System.err regardless of what the logger streams are // set to. If the logger streams are set to System.out // or System.err log messages will be written multiple times. // This facilitates logging messages to System.out/System.err // and a file simultaneously. AlwaysWriteToSystemStreams=N // DateFormatPattern can be any valid input to java.text.DateFormat constructor. // See the Java documentation for java.text.DateFormat for details // If not specified, the default format for the default locale is used DateFormatPattern=MMMM d, yyyy h:mm:ss.S a
The settings in this file are:
Enables or disables logging. Set this parameter to Y to enable logging. Set this parameter to N to disable logging.
Indicates the level of detail that is contained in logs. The LogLevel can be one of the following values:
No messages are logged.
Only records error messages.
Records error messages and warnings.
Records error messages, warnings, and general processing information that is useful for tracking problems.
If LogFileName is set, all log output goes to the file named in this parameter.
Indicates whether logging information is appended to an existing file at startup or if a new file is created at startup. To append output to the file specified in the LogFileName parameter, set this parameter to Y. To create a new file at startup, set this parameter to N.
To log messages to System.out or System.err regardless of what the logger streams are set to, set this parameter to Y. If the logger streams are set to System.out or System.err, log messages are written multiple times. This facilitates logging messages to System.out/System.err and a file simultaneously.
DateFormatPattern can be any valid input to java.text.DateFormat constructor. See the Java documentation for java.text.DateFormat for details.
If not specified, the default format for the default locale is used.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|