The following process lists the steps for configuring a policy.
Note: You can also create policies using the Scripting interface for Perl. For more information, see the Programming Guide for Perl.
Follow these steps:
You can create a policy by adding it to a new or existing domain. Policies define relationships between users and resources.
Follow these steps:
The domains page appears.
The view domain page appears.
The settings and controls become active.
The policies page appears.
The create policy page appears.
Note: This setting requires additional configuration at the Policy Server and the agent. For more information, see the knowledge base document titled Scenario: Require Re-Authentication for Sensitive Resources.
The user directories page appears.
The Modify domain: Name page re-appears.
The Modify domain Task is submitted for processing.
You can add individual users, user groups, or both to a policy and create a policy binding between the added users and the policy. When a user tries to access a protected resource, the policy verifies that the user is part of its policy binding and then fires the rules included in the policy to see if the user is allowed to access the resource.
To add users to a policy
From within each user directory group box, you can choose Add Members, Add Entry, Add All. Depending on which method you use to add users to the policy, a dialog box will open enabling you to add users.
Note: If you select Add Members, the User/Groups pane opens. Individual users are not displayed automatically. Use the search utility to find a specific user within one of the directories.
You can edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.
The User Directories pane reopens and lists the policy's new users on the user directory's group box.
The task of binding users to the policy is complete.
Rules indicate the specific resources included in a policy and whether to allow or deny access to the resources when the rule fires. Responses indicate the actions you want to occur when the rule fires.
Note: Add at least one rule or rule group to a policy.
Follow these steps:
The Rules dialog opens.
The Available Rules pane opens.
The Rules section lists the added rules and groups.
Note: To remove a rule or rule group from a policy, click the minus sign (-) to the right of the rule on the Rules section. To create a rule, click New Rule on the Available Rules pane.
You can associate a response or response group with a rule in a policy. When the rule fires, the associated response also fires.
To associate a rule with a response or response group
The Available Responses pane opens and lists the responses and response groups that have been configured for the policy domain.
The response opens in the Rules group box, and is associated with the respective rule.
Note: If the response you require does not exist, click New Response to create the response.
You can associate a rule with an existing global response.
To associate a rule with a global response
The Rules group box opens.
The Available Responses pane opens.
Note: Global responses, responses, and group responses are listed in that order on the Available Responses pane.
The Rules group box reopens, and the selected response is added to the rule.
The Modify Policy Task is submitted for processing.
You can create a Boolean expression and add it to a policy. Boolean expressions operate on variables, and the values of the variables at the time that the policy is processed affect the outcome of the processing. Thus, Boolean expressions influence policy decisions.
Follow these steps:
The Expression group box opens.
The Policy Expression pane opens.
The condition is added to the Infix Notation group box.
Note: To create multiple conditions, repeat this step.
The Expression group box reopens, and the expression is displayed in the field on the group box.
The Modify Policy task is submitted for processing.
Adding a confidence level to a policy lets you apply the results of an RiskMinder risk score evaluation to an authorization decision. Using an active expression limits the confidence level to only those resources (rules) bound to the policy. For RiskMinder risk scores, lower numbers indicate less risk and a safer transaction. For CA SiteMinder® confidence levels, higher numbers indicate less risk and a safer transaction.
Follow these steps:
smriskactiveexpr
CheckConfidenceLevel
The confidence level is applied to the resources (rules) bound to the policy.
If CA SiteMinder® is integrated with a CA IdentityMinder, a CA IdentityMinder role is available for use in policies. Roles let the Policy Sever make authorization decisions for users who are members of CA IdentityMinder roles.
Follow these steps:
The CA IdentityMinder roles are added to the policy.
If a user who is a member of an excluded CA IdentityMinder role tries to access a protected resource, the Policy Server:
Follow these steps:
The CA IdentityMinder roles are excluded from the policy.
Copyright © 2013 CA.
All rights reserved.
|
|