Previous Topic: Policy OverviewNext Topic: Exclude a User or Group from a Policy


How to Configure a Policy

The following process lists the steps for configuring a policy.

Note: You can also create policies using the Scripting interface for Perl. For more information, see the Programming Guide for Perl.

Follow these steps:

  1. Create the policy.
  2. Add users to the policy.
  3. Add one or more rules to the policy.
  4. (Optional) Associate responses or response groups with rules.
  5. (Optional) Associate global responses with rules.
  6. (Optional). Configure advanced policy options.

More information:

Add Users to a Policy

Add Rules to a Policy

Associate a Rule with a Response or Response Group

Associate a Rule with a Global Response

Advanced Policy Options

Create the Policy

You can create a policy by adding it to a new or existing domain. Policies define relationships between users and resources.

Follow these steps:

  1. Click policies, domain.
  2. Click domains.

    The domains page appears.

  3. Click the name of the domain you want to modify.

    The view domain page appears.

  4. Click Modify.

    The settings and controls become active.

  5. Click the policies tab.

    The policies page appears.

  6. Click create.

    The create policy page appears.

  7. Type the name and a description of the policy.
  8. (Optional) When the policy protects resources for which you always want the user to reauthenticate select the validate identity check box. For example, if you always want the user to reauthenticate before transferring money from one bank account to another, click the validate identity check box. Users must reauthenticate before a transfer made. This setting protects users even if they leave their screen unattended while the CA SiteMinder® session is still valid. The current CA SiteMinder® session is not affected.

    Note: This setting requires additional configuration at the Policy Server and the agent. For more information, see the knowledge base document titled Scenario: Require Re-Authentication for Sensitive Resources.

  9. Click the users tab.

    The user directories page appears.

  10. Add users, user groups, or both to the policy, and click submit.

    The Modify domain: Name page re-appears.

  11. Click submit.

    The Modify domain Task is submitted for processing.

Add Users to a Policy

You can add individual users, user groups, or both to a policy and create a policy binding between the added users and the policy. When a user tries to access a protected resource, the policy verifies that the user is part of its policy binding and then fires the rules included in the policy to see if the user is allowed to access the resource.

To add users to a policy

  1. Navigate to the Users dialog.
  2. Add users or groups from the user directory to the policy.

    From within each user directory group box, you can choose Add Members, Add Entry, Add All. Depending on which method you use to add users to the policy, a dialog box will open enabling you to add users.

    Note: If you select Add Members, the User/Groups pane opens. Individual users are not displayed automatically. Use the search utility to find a specific user within one of the directories.

    You can edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.

  3. Select individual users, user groups, or both using whatever method and click OK.

    The User Directories pane reopens and lists the policy's new users on the user directory's group box.

The task of binding users to the policy is complete.

More information:

View User Directory Contents

Policy Binding Establishment

Add Rules to a Policy

Rules indicate the specific resources included in a policy and whether to allow or deny access to the resources when the rule fires. Responses indicate the actions you want to occur when the rule fires.

Note: Add at least one rule or rule group to a policy.

Follow these steps:

  1. Navigate to Policy, Rules.

    The Rules dialog opens.

  2. Click Add Rule.

    The Available Rules pane opens.

  3. Select the individual rules, rule groups, or both that you want to add to the policy, and click OK.

    The Rules section lists the added rules and groups.

  4. (Optional) Associate the rule with a response or response group.

    Note: To remove a rule or rule group from a policy, click the minus sign (-) to the right of the rule on the Rules section. To create a rule, click New Rule on the Available Rules pane.

Associate a Rule with a Response or Response Group

You can associate a response or response group with a rule in a policy. When the rule fires, the associated response also fires.

To associate a rule with a response or response group

  1. Click Add Response for the rule or rule group for which you want to associate a response.

    The Available Responses pane opens and lists the responses and response groups that have been configured for the policy domain.

  2. Select a response or response group, and click OK.

    The response opens in the Rules group box, and is associated with the respective rule.

    Note: If the response you require does not exist, click New Response to create the response.

Associate a Rule with a Global Response

You can associate a rule with an existing global response.

To associate a rule with a global response

  1. Navigate to Policy, Rules.

    The Rules group box opens.

  2. Click the Add Response button next to the rule that you want to modify.

    The Available Responses pane opens.

    Note: Global responses, responses, and group responses are listed in that order on the Available Responses pane.

  3. Select a global response, and click OK.

    The Rules group box reopens, and the selected response is added to the rule.

  4. Click Submit.

    The Modify Policy Task is submitted for processing.

More information:

Global Policies, Rules, and Responses

Add an Expression to a Policy

You can create a Boolean expression and add it to a policy. Boolean expressions operate on variables, and the values of the variables at the time that the policy is processed affect the outcome of the processing. Thus, Boolean expressions influence policy decisions.

Follow these steps:

  1. Navigate to Policy, Expressions.

    The Expression group box opens.

  2. Click Edit.

    The Policy Expression pane opens.

  3. Type variable names in the fields on the Condition group box, or click Variable Lookup, select an operator from the drop-down list, and click Add.

    The condition is added to the Infix Notation group box.

    Note: To create multiple conditions, repeat this step.

  4. Select the conditions and click the buttons on the Infix Notation group box to create an expression.
  5. Click OK.

    The Expression group box reopens, and the expression is displayed in the field on the group box.

  6. Click Submit.

    The Modify Policy task is submitted for processing.

Add a Confidence Level to a Policy

Adding a confidence level to a policy lets you apply the results of an RiskMinder risk score evaluation to an authorization decision. Using an active expression limits the confidence level to only those resources (rules) bound to the policy. For RiskMinder risk scores, lower numbers indicate less risk and a safer transaction. For CA SiteMinder® confidence levels, higher numbers indicate less risk and a safer transaction.

Follow these steps:

  1. From the Administrative UI, click Policies, Domain, Domains.
  2. Click the Edit icon for the policy domain you created for your RiskMinder environment.
  3. Click the Policies tab.
  4. Click Create.
  5. Click the Policies tab.
  6. Click the edit icon for the policy.
  7. Complete the following steps in the Active Policy Expression area:
    1. Enter the following library name:
      smriskactiveexpr
      
    2. Enter the following function name:
      CheckConfidenceLevel
      
    3. Enter a confidence level in the Function Parameters field. The valid range is 1 through 1000.
  8. Click OK.
  9. Click Submit.

    The confidence level is applied to the resources (rules) bound to the policy.

More information:

Enable Confidence Level Support for Authorization Decisions

Confidence Levels Introduced

Add CA IdentityMinder Roles

If CA SiteMinder® is integrated with a CA IdentityMinder, a CA IdentityMinder role is available for use in policies. Roles let the Policy Sever make authorization decisions for users who are members of CA IdentityMinder roles.

Follow these steps:

  1. Navigate to Policy, Users.
  2. Click Add Roles from the IDM Environment you want.
  3. Select the roles you want and click OK.
  4. Click Submit.

    The CA IdentityMinder roles are added to the policy.

Exclude CA IdentityMinder Roles

If a user who is a member of an excluded CA IdentityMinder role tries to access a protected resource, the Policy Server:

Follow these steps:

  1. Navigate to Policy, Users.
  2. Locate the roles you want to exclude in the IDM Environments section.
  3. For each role, click Exclude.
  4. Click Submit.

    The CA IdentityMinder roles are excluded from the policy.