Policy Server Guides › Policy Server Configuration Guide › Define the Security Policy for a Web Application in an Application Object

Define the Security Policy for a Web Application in an Application Object

This section contains the following topics:

Advantages of Securing Your Resources Using Application Objects

How to Define the Security Policy for a Web Application in an Application Object

Use Cases for Defining Application Security Policies Using Application Objects

Advantages of Securing Your Resources Using Application Objects

Application objects provide an access management model that lets you protect business applications without an in-depth knowledge of CA SiteMinder®-specific concepts and components. This model is also known as Enterprise Policy Management (EPM).

Application objects present policy configuration in the context of securing an application. To protect an application, you create an Application object and are only required to provide data for configuration settings that do not have defaults. Modifying other settings is optional. Application objects therefore make policy configuration more straightforward. You can manipulate additional CA SiteMinder® settings that allow you to define more fine-grained protection of an application; however, such manipulation is not required.

For the administrator already familiar with CA SiteMinder® domain-based policies, there is a relationship between the application-oriented concepts and the underlying CA SiteMinder® policy objects. This relationship is reflected in the Administrative UI and is shown in the following table:

Application roles define the set of users who have access to a resource or group of resources defined in an Application object. Roles can include all users in configured user directories, be limited to selected groups, organizations, and users with matching user attributes, or specified using a named or unnamed expression.

Application objects offer the following benefits:

Application-centric approach

The focus on applications relates closely to the view of access management by most businesses.

Consistent security enforcement model

The security enforcement model for application objects is no different than implemented by the more domain-centric model. However, the domain-specific components are hidden from configuration.

Simplified security

Securing resources is simplified—you name the application, the application resources that need protecting, and the application roles that are permitted access. You are not required to examine or modify every aspect of a component to establish a security policy.

Enhanced delegation

A CA SiteMinder® administrator can grant access to an application without expert knowledge of CA SiteMinder®. This ability enables a senior security administrator to delegate access management responsibilities to other administrators.

How to Define the Security Policy for a Web Application in an Application Object

Application objects provide an intuitive method of defining a complete security policy for a web application (or website). Application objects associate resources with user roles to specify entitlement policies that determine what users can access what resources.

Note: An application object defines policy information that can otherwise be configured in a policy domain and its subobjects. That is, realms, rules, rule groups, responses, and policies.

To define the security policy for a web application in an application object, complete the following procedures:

1. Verify your administrative rights.
2. Create the application object and define the general properties of your security policy.
3. Designate the application resources.
4. Create roles that identify the users that can access the protected resources.
5. (Optional) Configure responses to customize the web application.
6. (Optional Configure response groups to customize the web application.
7. Create policies to associate resources with user roles.
8. (Optional) Configure advanced application options

Verify Your Administrative Rights

To implement application security policies, you require the necessary administrative rights. An administrator can be assigned the following application-related rights:

Application administration

The application administration right lets you create, modify, and delete an application and its components.

Policy administration

The policy administration right lets you define the resources, roles, and policies that are associated with an application.

If you do not have the necessary rights, contact the CA SiteMinder® superuser.

Create the Application Object and Define the General Properties of Your Security Policy

Create an application object and configure the following general properties of the security policy that it defines:

• One or more components—groups of related application resources with similar security requirements, typically resources that reside in a common location. For example, marketing information that resides in a /marketing directory on your network.
• A directory (or directories) of users who are authorized to use the resources.

Follow these steps:

1. Log in to the Administrative UI.
2. Click Policies, Application.
3. Click Applications.
4. Click Create Application.

   The Create Application page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Enter the name and description of the application.
6. In the Components section, define one or more groups of related resources with similar security requirements. Follow these steps for each component:
   1. Click Create Component.
   2. Type the name of the component.
   3. Click Lookup Agent/Agent Group.
   4. Select an agent or agent group and click OK.
   5. Type the root URL of the resources that you want to protect in the Resource Filter field.
   6. Specify whether the resources are protected or unprotected by default.
   7. Specify the authentication scheme to use to validate the identity of users who request resources.
7. In the User Directories section, perform the following steps to select the directory (or directories) of users who are authorized to use application resources:
   1. Click Add/Remove.
   2. Select one or more user directories from the list of Available Members, and click the right-facing arrows.

      The user directories are removed from the list of Available Members and added to the list of Selected Members.

      Note: To select more than one member at one time, hold down the Ctrl key while you click the additional members. To select a block of members, click the first member and then hold down the Shift key while you click the last member in the block.

   3. Click OK.

      The selected user directories are listed under User Directories on the Create Application page.

8. Click OK.
9. Click Submit.

   The application object is created.

Designate the Application Resources

After defining the application components that you want to protect, designate the specific resources within each component that you want to protect.

Follow these steps:

1. On the Create Application page, click the Resources tab.
2. If you created more than one component, select the root URL (specified as the Resource Filter on the General tab) of the resources that you want to protect from the Select a context root drop-down list.
3. Click Create.
4. Type the name of the resource.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Type the resource that you want to protect in the Resource field. Specify a specific file or use a regular expression for greater flexibility in resource matching.

   The Effective Resource updates to include the resource.

6. If you used a regular expression in the Resource field, set the Regular Expression option.
7. In the Action section, select the type of action that must occur to the specified resource to cause the Policy Server to process the request.

   The Action List is populated with actions appropriate for the selected action type.

8. Select one or more actions.
9. Click OK

   The Resource is created.

10. Repeat steps 2 through 9 for each resource in the web application.

The web application resources are now defined.

Create Roles That Identify the Users That Can Access the Protected Resources

After defining the web application components and resources, you specify roles that define the set of users who have access to a particular resource.

Follow these steps:

1. On the Create Application page, click the Roles tab.
2. Click Create Role.
3. Verify that the Create new object of type Role option is selected, and click OK.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Enter a name and optionally, a description for the role.
5. Specify whether the role applies to All Users or Selected Users in the configured user directories.

   Note: The Users Setup and Advanced sections do not apply when the All Users option is set and are no longer displayed.

6. Define the groups, organizations, and user attribute expressions that define the members of the role by making selections in the Users Setup group box.
7. Click OK.
8. Repeat steps 2 through 7 for each additional required role.

(Optional) Configure Responses to Customize the Web Application

Configure responses to pass text, user attributes, DN attributes, active responses, or the runtime values of defined variables from the Policy Server to an agent. Web applications can use response data to display customized content, to determine privileges or for fine-grained access control. Response data can also be used to change SiteMinder settings or to redirect users to different resources.

Follow these steps:

1. On the Create Application page, click the Response tab.
2. Click Create Response.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. Enter a name for the response.
4. Create one or more response attributes. Follow these steps for each response attribute:
   1. Click Create Response Attribute.
   2. Select the attribute type that you want to configure. For example, the WebAgent-HTTP-Header-Variable attribute type.
   3. Select the Attribute Kind.

      The details in the Attribute Fields are updated to match the specified attribute kind.

   4. Complete the details in the Attribute Fields.
   5. (Optional) Edit the attribute in the Script field.

      Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.

   6. Specify Cache Value (the default) or Recalculate value every ... seconds.

      Note: The maximum time limit that can be entered is 3600 seconds.

   7. Click OK.

   The response attribute is added to the Attribute List.

5. Click OK.

   The Response is created.

(Optional) Configure Response Groups to Customize the Web Application

Configure a response group to combine multiple responses in a single object. When you create your application policy, you can more easily associate multiple responses with a single resource within that policy.

Follow these steps:

1. On the Create Application page, click the Response tab.
2. Click Create Response Group.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. Enter a name for the response group.
4. Click Add/Remove.

   The Response Group Members page appears.

   Note: The Available Members column lists all responses and response groups that are defined in the application object.

5. Select one or more responses or response groups from the list of Available Members, and click the right-facing arrows.

   The responses are removed from the list of Available Members and added to the list of Selected Members.

   Note: To select more than one member at a time, hold down the Ctrl key while you click the additional members. To select a block of members, click the first member and then hold down the Shift key while you click the last member in the block.

6. Click OK.

   The selected responses are added to the response group.

7. Click OK.

   The Response Group is created.

Configure a Policy to Associate Resources with User Roles

Associate resources with user roles in the application policy to define which users are authorized to access each resource. If you want to return data to the authorizing agent when a resource is accessed, also associate responses with resources in the policy.

Follow these steps:

1. On the Create Application page, click the Policies tab.

   The Policies tab displays two tables, one that lists resources and roles, the other that lists resources and responses.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

2. In the resources table, select the roles that you want to associate with each resource. Only users in the selected roles are authorized to access those resources.
3. In the responses table, select the responses and response groups that you want to associate with each resource. The data defined in selected responses is returned when the associated resource is accessed.

   Note: Responses are not listed in the responses table until you select a role/resource table entry.

4. Click Submit.

   A confirmation screen appears. The application security policy is created.

(Optional) Configure Advanced Application Options

You can also configure the following advanced options for your application security policy:

• Configure custom attributes to add metadata
• Configure confidence levels
• Configure CA DataMinder content classifications
• Configure advanced policy components

(Optional) Configure Custom Attributes to Add Metadata About the Application

You can define custom attributes to add unique identifying metadata about your application. The metadata describes the application by adding information, such as the name of the person who created the application or the purpose of the application.

Follow these steps:

1. On the Create Application page, click the Custom Attributes tab.

   The Custom Attributes tab displays a table that contains the name and value of any existing metadata.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

2. Click Create.

   A blank entry is added to the Custom Attributes table.

3. Enter a name and value for the piece of metadata you are adding.
4. Click Create.

   The custom attribute is added to the table and a new blank entry is added.

5. Repeat steps 3 and 4 for each custom attribute you want to add.

Configure Confidence Levels in Applications

If CA SiteMinder® is integrated with a supported risk analysis engine, a confidence level is available for use in application objects. Confidence levels extend applications to include the results of the risk evaluation that is completed as part of user authentication. The Policy Server can use these results when making authorization decisions.

You can apply a confidence level to the following objects:

• An application component.

  A confidence level that you configure in an application component applies to all resources that are associated with the component. Confidence levels represent a higher level of granularity than the default application settings provide. Use the advanced settings of the application component to apply a confidence level.

  Note: Applying a confidence level to an application component requires that you enable confidence level support. For more information, see the CA SiteMinder® Implementation Guide.

• An application role.

  A confidence level that you configure as part of an application role allows for more granular authorization decisions. A confidence level represents an active component that you can use to define further the user group or groups that can access the resources. Confidence levels represent a higher level of granularity that the default role memberships provide. Use a named expression that references the SM_USER_CONFIDENCE_LEVEL CA SiteMinder® generated attribute to add a confidence level to a role.

  Note: Applying a confidence level to an application role remains supported from previous releases and is enabled by default.

More information:

SiteMinder Generated User Attributes

Named Expressions

Configure CA DataMinder Content Classifications in Applications

If CA SiteMinder® is integrated with CA DataMinder, content classifications are available for use with application objects. Content classifications extend applications to include the type of content a user is requesting. The Policy Server can use the results of the CA DataMinder content analysis to make authorization decisions.

Note: Applying content classifications to an application component requires that you enable the environment for the CA DataMinder integration. For more information, see the CA SiteMinder® Implementation Guide.

You can apply a CA DataMinder content classification to the following objects:

• An application component:
  • Content classifications that you apply to an application component apply to all resources that are associated with the component.
  • By default, the CA DataMinder Content Classification Service makes available all content classifications to an application component. If you want the Policy Server to ignore one or more classifications when making an authorization decision, remove them from the application.
  • A CA SiteMinder® administrator cannot administer content classifications. If changes are required, coordinate the changes with the CA DataMinder administrator.
• An application role:
  • Content classifications that you apply to an application role allow for more granular authorization decisions. A content classification represents an active component that you can use to define further the user group or groups that can access the resources. Content classifications represent a higher level of granularity that the default role memberships provide.
  • The relationship between roles and content classifications is cumulative. If a user is a member of multiple roles on the same application, then the user can access any documents that are associated with the roles.

Configure Advanced Policy Components for Applications

Application objects provide configuration options that let the following types of users modify CA SiteMinder® components beyond the default settings:

• Those users who are familiar with the policy design and interface used in CA SiteMinder® releases before r12 who want to fine–tune aspects of their policies.
• Users who want a higher level of granularity in their policies than the default settings provide.
• Auditors and others who want to determine if the policies implemented using an application object meet the requirements of the organization or of any regulations with which the organization must comply.

Follow these steps:

1. Click Applications.
2. Click Create Application.
3. Enter information in the General and Components sections and then click Advanced Settings.

   The Modify Component page appears. The Modify Component page includes the session and advanced features of policy realms. For example, if confidence level support is enabled, you can add a minimum confidence level to the component.

   Note: For more information about enabling confidence level support, see the CA SiteMinder® Implementation Guide.

4. Do one of the following:
   • Configure one or more of the advanced settings for the component.
   • Select the legacy authorization directory mapping.
   • To create a sub–component, click Create Sub–Component to open the Create Component screen. Creating a sub–component is the equivalent of creating a sub, or nested, realm.
5. When you are finished, click OK to save the changes and continue configuring the remaining parts of the application.

More information:

Authentication Events

Rules Overview

Authorization Events

Realms Overview

Session Timeouts