Policy Server Guides › Policy Server Configuration Guide › Implementing Policy-based Security › CA IdentityMinder Roles and Access Control

CA IdentityMinder Roles and Access Control

Integrating with CA IdentityMinder lets you can implement policy–based access control using CA IdentityMinder roles. These roles enable centralized management of user privileges in external applications.

Note: For more information about configuring the integration, see the CA Identity Manager documentation.

The integration requires:

• The Policy Server installation includes the required data definitions for the CA Identity Manager integration at the following location.

  siteminder_home\xps\dd
  

  siteminder_home

  Specifies the Policy Server installation path.

• The name of the file is:

  IdmSmObjects.xdd
  

  Important! Do not import this file in to the policy store until you have completed the CA IdentityMinder integration. If you import the data definitions before completing the integration, the Policy Server can reach an indeterminate state. Coordinate the integration with your CA IdentityMinder administrator.

• CA IdentityMinder administrators manage environments and roles in CA IdentityMinder to determine user access to the applications that CA SiteMinder® secures. The CA SiteMinder® Administrative UI refers to these environments as an IDM environment.

  Note: For more information about environments and roles, see the CA IdentityMinder documentation.

• CA SiteMinder® administrators use the Administrative UI to associate one or more IDM environments to a policy domain and user directory. A CA SiteMinder® administrator cannot create or manage an IDM environment.
• CA SiteMinder® administrators use the Administrative UI to create a policy and associate one or more roles that are available to the IDM environments. A CA SiteMinder® administrator cannot create or manage a CA Identity Manager role.

  Note: You cannot apply a CA IdentityMinder role to an enterprise management application.

CA SiteMinder® can also provide details about entitlements that a CA IdentityMinder user has in protected applications. As the following figure illustrates, a CA SiteMinder® administrator associates a response with an access rule in the policy. The response contains a response attribute that specifies a CA SiteMinder®–generated user attribute.

The CA SiteMinder®–generated user attribute retrieves task information from CA IdentityMinder. The Policy Server passes this information to the web agent as an HTTP header variable or a cookie. The web agent makes the header variable or cookie available to the protected application for fine–grained access control.