Policy Server Guides › Policy Server Configuration Guide › Global Policies, Rules, and Responses › Global Policies

Global Policies

Standard policies are created in the context of a single policy domain. Large production environments can contain thousands of domains. For these environments, it can be useful to define types of behavior (represented by policies) that are common for many domains. Using standard policies, the same policy must be recreated for each domain that requires the same behavior. The global policies allow you to configure policies (and their associated rules and responses) as system level objects, that are applied across all domains.

The following terms are used for discussing global policies:

Access Rule

An access rule allows or denies access to a resource. The global policies do not include access rules. Only event rules are added to global policies.

Event Rule

An event rule is invoked when an authentication or authorization event occurs. Behaviors that are commonly implemented across all domains are associated with event rules, and can be included in global policies.

Global Policy

A policy which is defined as a system object.

Global Rule

A rule which is defined as a system object.

Global Response

A response which is defined as a system object.

Policy Link

A logical entity that is used for policy definition. This entity consists of a rule- response pair. A policy can contain one or more policy links.

More information:

Policies

Authentication Events

Authorization Events

Global Policy Object Characteristics

The following sections discuss the characteristics of global policy objects, outlining the basic similarities and differences when compared to their standard (nonglobal) counterparts.

Global responses compared to standard responses

Differences:

• Defined at the system level. Only system level administrators can define a global response.
• These responses cannot use variables-based attributes.
• Used in any global or domain-specific policies.
• Associated with the specific agent type.
• These responses cannot be added to response groups. Global response groups are prohibited.

Similarities:

• These responses can use active expressions.
• A response Is only returned if it is specified in a particular policy.

Global rules compared to standard rules

Differences:

• Defined at the system level. Only system level administrators can define a global rule.
• The filter for the global rule is not bound to a specific realm. The filter for the global rule is an absolute filter. Regular expressions are allowed.
• Bound to a specific agent or agent group. The agent is explicitly specified when the rule is created.
• Available only for CA SiteMinder® agents. You cannot associate a global rule with a RADIUS Agent because RADIUS Agents do not support authentication and authorization events.
• Only defined for an authentication or authorization event.
• Only used in global policies.
• These rules cannot be added to rule groups. Global rule groups do not exist
• These rules can fire for resources on any domain for which global policy processing is enabled.

Global policies compared to standard policies

Differences:

• Defined at the system level. Only system level administrators can define a global policy.
• Bound to all users. Any specific users cannot be included or excluded from a global policy.

  Note: Any Individual domains can be explicitly enabled or disabled for global policy processing.

• Defined using only global rules, global responses, and groups of these global objects.
• These policies cannot use variable-based attributes or variable expressions.
• These policies cannot contain allow/deny access rules. Only event rules are allowed in global policies.
• These policies cannot include or exclude a particular resource/realm from the global policy. These global policies apply to all resources matching at least one rule filter that is defined for the policy, on the related domain.
• Are not supported through the Java Policy Management API.

Similarities:

• These policies can use active expressions.
• Associated with the specific Agent. However, it is possible to create a group containing all the Agents of the same type and bind a global rule to such group.

When the global policy is processing, the responses that are defined for the fired global rules are added to the list of other responses. A global rule fires when the following conditions are true:

• The resource being accessed matches the absolute resource filter that is defined for the global rule.
• The event that occurs is as defined for the global rule.
• The same agent/agent group that is specified for the rule protects the resource.
• The resource/realm being accessed belongs to a domain for which global policies processing is enabled.

Important! Standard policies take precedence over global policies when the following conditions are met:

• Global policy processing is enabled for the domain
• Both standard rule and global rule are bound to the same agent or group.

More information:

Disable Global Policy Processing for a Domain

SiteMinder Global Policy Concept

The product uses a policy-based access control model. A policy defines the type of access a user has to a particular resource and what happens when the user accesses the resource. Each standard policy is a linkage between a set of users and a set of resources. Policies are designed to protect resources by binding together users, rules, and responses. Every policy must specify the users or groups of users to which the policy applies. Users can be either included or excluded from the policy.

A standard policy must contain at least one rule or rule group. Rules determine which resources are protected the type of action that causes a rule to fire. A rule identifies a resource or resources that are included in the policy using a combination of a string-based resource filter and action. The filter in turn consists of realm filter and rule filter.

Policy objects can be of two types: system level and domain level. In a standard (non‑global) policy, all policy objects must be created in the context of a specific domain. However, global policies are system level policies that can apply across all domains in a product deployment. An administrator with system level privileges can define global policies, that include global rules and global responses. These global policies can be applied to any resource in any domain.

The global objects are similar to their standard, domain-specific counterparts. The roles of global objects in a global policy definition are different from domain-specific policy objects. However, there are no global domain or global realm objects.

Global Policy Processing

Any global rules that are contained in global policies fire when the following conditions are met:

• The requested resource belongs to a domain on which global policy processing was not disabled
• The requested resource matches the absolute resource filter that is defined for the global rule. Filters for global rules are obtained from the rule (not from the realm).
• The event that occurs is the same as the one that is defined for the global rule.
• The same agent or agent group protects the requested resource which was specified for the rule.

Whenever an authentication or an authorization event happens, the defined responses for the fired global rules are added to the list of other responses.