The following sections describe the methods for establishing different types of policy bindings. Supported policy binding types differ based on the type of user directory in which user information is located.
When CA SiteMinder® authenticates a user, it establishes a user context. Subsequently, access control policy decisions are based on the user context matching one of the criteria shown in the table below.
User Namespace |
Description |
---|---|
User |
The user's Distinguished Name (DN) must match the DN specified in the policy. |
User Attribute |
The search expression specifying conditions related to user attributes must be true. |
User Group |
The user's DN must be a member of the user group specified in the policy. |
Group Attribute |
The search expression specifying conditions related to the group attribute must be true. |
Organizational Role |
The user must occupy the organizational role specified in the policy. |
Organization Unit |
The user must be a member of the organizational unit specified in the policy. The Organizational Unit must be a part of a user's DN, group, or role (group and role are not used by default). |
Organization |
The user must be a member of the organization specified in the policy. The Organization must be a part of a user's DN, group, or role (group and role are not used by default). |
Organization Attribute |
The search expression specifying conditions related to the organization attribute must be true. |
Custom Object Classes |
CA SiteMinder® can be configured to associate Policies with custom directory objects. |
Generally, you bind users or user attributes to policies on the CA SiteMinder® Policy pane by selecting an entry from the list of available directory entries. Individual users are not visible in the list of available directory entries. However, you can search for specific users within a directory and add the users directly to the policy.
There are two ways to bind individual users to a policy. The first is by using the Manual Entry field in the CA SiteMinder® Policy Users/Groups dialog. The second is by using the Search feature in the CA SiteMinder® Policy Users/Groups dialog.
To bind users to a policy with the Manual Entry Field
The User Directory Search Expression Editor opens.
For example: uid=JSmith, ou=people, o=myorg.org
Note: This user DN must match exactly the user’s distinguished name. This feature will not match a subset of information contained in the user’s DN.
The User Directory Search Expression Editor closes and the user DN you entered appears in the group box of the directory.
On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.
To bind individual users to a policy by using the search feature
A list of the user directories that are associated with the domain opens on the User Directories pane.
The Users/Groups pane opens.
A list of users that match the search criteria opens.
The User Directories pane reopens, and the selected users are added to the user directory group box.
The Create or Modify Policy task is submitted for processing.
To bind a policy to user attributes, specify an LDAP search expression that defines conditions related to user attributes that must be true. For example, to bind a policy to all people whose location (l) is westcoast or whose mail address (mail) ends with string.com, insert the following search expression (using a pipe (|) at the beginning) in the Manual Entry field:
(|(l=westcoast)(mail=*string.com))
User Groups open in Users/Groups pane.
To bind a policy to a User Group
The user directories associated with the domain open in the User Directories group box.
The Users/Groups pane opens.
The User Directories group box opens. The respective user directory table lists the user group to which the policy should apply.
CA SiteMinder® allows you to bind policies to an Organizational Role. When you bind a policy to an organizational role, users must be a member of the role in order for the policy to fire.
To bind organizational roles to a policy with the Manual Entry Field
The User Directory Search Expression Editor opens.
The User Directory Search Expression Editor closes and the organizational role you entered appears in the group box of the directory.
The organizational roles are bound to the policy.
To bind a policy to group attributes, specify an LDAP search expression that defines conditions related to group attributes that must be true.
To bind policies to group attributes
The User Directory Search Expression Editor opens.
(&(c=USA)(s=Massachusetts))
The User Directory Search Expression Editor closes and the group you entered appears in the group box of the directory.
To bind a policy to an organizational unit, specify an LDAP search expression that defines an organizational unit.
To bind organization units to a policy with the Manual Entry Field
The User Directory Search Expression Editor opens.
ou=Marketing
The User Directory Search Expression Editor closes and the user DN you entered appears in the group box of the directory.
The organization unit is bound to the policy.
To bind a policy to an organization, specify an LDAP search expression that defines an organization.
To bind organizations to a policy with the Manual Entry Field
The User Directory Search Expression Editor opens.
For example, to bind a policy to all people whose organization (o) is myorg.org, insert the following search expression in the Manual Entry field:
o=myorg.org
The User Directory Search Expression Editor closes and the organization you entered appears in the group box of the directory.
The organization is bound to the policy.
To bind a policy to organization attributes, specify an LDAP search expression that defines conditions related to organization attributes that must be true.
To bind users to a policy with the Manual Entry Field
The User Directory Search Expression Editor opens.
(&(c=USA)(s=Massachusetts))
The User Directory Search Expression Editor closes and the organization attribute you entered appears in the group box of the directory.
The policy is bound to the organization attributes.
CA SiteMinder® can be configured to bind policies to custom object classes. If you have the Software Development Kit installed, see the API Reference Guide for C for more information.
When CA SiteMinder® authenticates a user, it establishes a user context. Subsequently, access control policy decisions are based on the user context matching one of the criteria shown below.
User Namespace |
Description |
---|---|
User |
The user’s user name must match the user name specified in the policy. |
User Group |
The user must be a member of the user group specified in the policy. |
Generally, you bind users to policies on the Policy pane by selecting an entry from the list of available directory entries. However, individual users are not visible in the list of available directory entries.
On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value search feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.
To bind individual users to a policy by using the Manual Entry field
A list of the user directories that are associated with the domain opens on the User Directories pane.
The User Directory Search Expression Editor pane opens.
The User Directories pane reopens, and the specified users are added to the user directory group box.
The Create or Modify Policy task is submitted for processing.
On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.
To bind individual users to a policy by using the search feature
A list of the user directories that are associated with the domain opens on the User Directories pane.
The Users/Groups pane opens.
A list of users that match the search criteria opens.
The User Directories pane reopens, and the selected users are added to the user directory group box.
The Create or Modify Policy task is submitted for processing.
You can bind a policy to a user group.
To bind a policy to a user group
A list of the user directories that are associated with the domain opens on the User Directories pane.
The Users/Groups pane opens.
The User Directories pane reopens, and the selected user group is added to the user directory group box.
When CA SiteMinder® authenticates a user, it establishes a user context. Subsequently, access control policy decisions are based on the user context matching one of the criteria shown in below.
User Namespace |
Description |
---|---|
User |
The user’s name must match the user name specified in the policy. |
User Group |
The user must be a member of the user group specified in the policy. |
User Attribute |
The search expression specifying conditions related to user attributes must be true. |
SQL query |
The SQL query specifying conditions related to the user must be true. |
Generally, you would bind users or user attributes to policies on the Policy Users/Groups pane by selecting an entry from the list of available directory entries. However, individual users may not be visible in the list of available directory entries (depending on the setup of Query Enumerate in the SQL query scheme for the user directory).
On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value search feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.
To bind individual users to a policy by using the Manual Entry field
A list of the user directories that are associated with the domain opens on the User Directories pane.
The User Directory Search Expression Editor pane opens.
The User Directories pane reopens, and the specified users are added to the user directory group box.
The Create or Modify Policy task is submitted for processing.
On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.
To bind individual users to a policy by using the search feature
A list of the user directories that are associated with the domain opens on the User Directories pane.
The Users/Groups pane opens.
A list of users that match the search criteria opens.
The User Directories pane reopens, and the selected users are added to the user directory group box.
The Create or Modify Policy task is submitted for processing.
You can bind a policy to a user group.
To bind a policy to a user group
A list of the user directories that are associated with the domain opens on the User Directories pane.
The Users/Groups pane opens.
The User Directories pane reopens, and the selected user group is added to the user directory group box.
To bind policies to user attributes, specify a search expression that defines conditions related to user attributes that must be true.
For example, to bind a policy to all people whose area code is 555, insert the following expression in the Manual Entry field: (areacode=’555’).
Copyright © 2013 CA.
All rights reserved.
|
|