Previous Topic: Configure a Rule for Authentication Event ActionsNext Topic: Configure a Rule for Impersonation Event Actions


Configure a Rule for Authorization Event Actions

Authorization events occur after a user is authenticated. You configure a rule for authorization to let CA SiteMinder® call responses based on whether a user is or is not authorized for the requested resource. When the user has been granted or denied access based on their privileges, the appropriate event is triggered.

The realm in which the rule is to be created must be able to process authorization events. Verify that the Process Authorization Events option is selected.

Follow these steps:

  1. Click Policies, Domain, Rules.
  2. Click Create Rule.
  3. Select a domain from the list, and click Next.
  4. Select the realm that includes the resources that you want the rule to protect, and click Next.

    Note: If a realm does not exist for the resources that you want to protect, a rule cannot be created to protect those resources.

  5. Type the name and a description of the rule.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  6. Type the resource the rule is to protect.

    Effective Resource updates to include the resource.

  7. Select Authorization events.

    The Action List populates with authorization events.

    Note: The Allow Access and Deny Access options are disabled. These options do not apply to authorization events.

  8. Select one or more authorization events.
  9. (Optional) In Advanced, set time restrictions, an active rule, or both.
  10. Click Submit.

    The rule is saved and applied to the specified realm and resource.

Policy Considerations for OnAccessReject Rules

Consider how the Policy Server processes global policies and the special circumstances created by OnAccessReject rules when creating global rules that include OnAccessReject events.

An OnAccessReject rule will not fire if it is in the same policy as a GET / POST rule. When a user is authenticated, CA SiteMinder® resolves the identity of the user. Therefore, if the OnAccessReject rule and the GET / POST rule are in the same policy, then a user who is allowed access to a resource is the same user who should be redirected on an OnAccessReject event. Since the user is allowed access, the reject event never applies.

To resolve this discrepancy, create a separate policy for the OnAccessReject rule, which may include other event rules, and specify the users for which it should apply.

For example, in an LDAP user directory, User1 should have access to a resource and everyone else in the group, ou=People, o=company.com, should be redirected to an OnAccessReject page. Two policies are required:

Policy1

Includes a GET / POST rule that allows access for User1.

Policy2

Includes the OnAccessReject rule and a Redirect response, and specifies the group ou=People, o=company.com.

Since User1 is authorized, the OnAccessReject rule will not fire when User1 access the resource. However, the OnAccessReject rule will fire for all other users in the group, ou=People, o=company.com, because they are not authorized to access the resource.