Policy Binding Establishment

Policy Server Guides › Policy Server Configuration Guide › Policies › Policy Binding Establishment

Policy Binding Establishment

The following sections describe the methods for establishing different types of policy bindings. Supported policy binding types differ based on the type of user directory in which user information is located.

Policy Bindings for LDAP Directories

When CA SiteMinder® authenticates a user, it establishes a user context. Subsequently, access control policy decisions are based on the user context matching one of the criteria shown in the table below.

User Namespace	Description
User	The user's Distinguished Name (DN) must match the DN specified in the policy.
User Attribute	The search expression specifying conditions related to user attributes must be true.
User Group	The user's DN must be a member of the user group specified in the policy.
Group Attribute	The search expression specifying conditions related to the group attribute must be true.
Organizational Role	The user must occupy the organizational role specified in the policy.
Organization Unit	The user must be a member of the organizational unit specified in the policy. The Organizational Unit must be a part of a user's DN, group, or role (group and role are not used by default).
Organization	The user must be a member of the organization specified in the policy. The Organization must be a part of a user's DN, group, or role (group and role are not used by default).
Organization Attribute	The search expression specifying conditions related to the organization attribute must be true.
Custom Object Classes	CA SiteMinder® can be configured to associate Policies with custom directory objects.

Generally, you bind users or user attributes to policies on the CA SiteMinder® Policy pane by selecting an entry from the list of available directory entries. Individual users are not visible in the list of available directory entries. However, you can search for specific users within a directory and add the users directly to the policy.

More information:

Add Users to a Policy

Bind Policies to Users with the Manual Entry Field

There are two ways to bind individual users to a policy. The first is by using the Manual Entry field in the CA SiteMinder® Policy Users/Groups dialog. The second is by using the Search feature in the CA SiteMinder® Policy Users/Groups dialog.

To bind users to a policy with the Manual Entry Field

Navigate to Policy, Users.
Locate the group box with the user directory that you want to search, and then click Add Entry.
The User Directory Search Expression Editor opens.
Click the Where to Search drop-down list, and then select Search Users.
In the Manual Entry field, specify a user DN.
For example: uid=JSmith, ou=people, o=myorg.org

Note: This user DN must match exactly the user’s distinguished name. This feature will not match a subset of information contained in the user’s DN.
Click OK.
The User Directory Search Expression Editor closes and the user DN you entered appears in the group box of the directory.
Click Submit to save your changes.

More information:

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to Users with the Search Feature

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

To bind individual users to a policy by using the search feature

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Members on a user directory group box.
The Users/Groups pane opens.
Specify search criteria, and click Go
A list of users that match the search criteria opens.
Select the users that you want, and click OK.
The User Directories pane reopens, and the selected users are added to the user directory group box.
Click Submit.
The Create or Modify Policy task is submitted for processing.

More information:

Search User Directories

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to User Attributes

To bind a policy to user attributes, specify an LDAP search expression that defines conditions related to user attributes that must be true. For example, to bind a policy to all people whose location (l) is westcoast or whose mail address (mail) ends with string.com, insert the following search expression (using a pipe (|) at the beginning) in the Manual Entry field:

(|(l=westcoast)(mail=*string.com))

More information:

Add an LDAP Expression to a Policy

Bind Policies to User Groups

User Groups open in Users/Groups pane.

To bind a policy to a User Group

Click the Users tab.
The user directories associated with the domain open in the User Directories group box.
Click Add Members.
The Users/Groups pane opens.
Select the user group.
Click OK.
The User Directories group box opens. The respective user directory table lists the user group to which the policy should apply.

Bind Policies to Organizational Roles

CA SiteMinder® allows you to bind policies to an Organizational Role. When you bind a policy to an organizational role, users must be a member of the role in order for the policy to fire.

To bind organizational roles to a policy with the Manual Entry Field

Navigate to Policy, Users.
Locate the group box with the user directory that you want to search, and then click Add Entry.
The User Directory Search Expression Editor opens.
Click the Where to Search drop-down list, and then select Search Users.
In the Manual Entry field, specify an organizational role.
Click OK.
The User Directory Search Expression Editor closes and the organizational role you entered appears in the group box of the directory.
Click Submit to save your changes.
The organizational roles are bound to the policy.

Bind Policies to Group Attributes

To bind a policy to group attributes, specify an LDAP search expression that defines conditions related to group attributes that must be true.

To bind policies to group attributes

Navigate ot Policy, Users.
Locate the group box with the user directory that you want to search, and then click Add Entry.
The User Directory Search Expression Editor opens.
Click the Where to Search drop-down list, and then select Search Users.
In the Manual Entry field, specify a group. For example, to bind a policy to all groups located in the state of Massachusetts in the USA, insert the following search expression in the Manual Entry field:
(&(c=USA)(s=Massachusetts))
Click OK.
The User Directory Search Expression Editor closes and the group you entered appears in the group box of the directory.
Click Submit to save your changes.

More information:

Add an LDAP Expression to a Policy

Bind Policies to Organization Units

To bind a policy to an organizational unit, specify an LDAP search expression that defines an organizational unit.

To bind organization units to a policy with the Manual Entry Field

Navigate to Policy, Users.
Locate the group box with the user directory that you want to search, and then click Add Entry.
The User Directory Search Expression Editor opens.
Click the Where to Search drop-down list, and then select Search Organizations.
In the Manual Entry field, specify an organization unit. For example, to bind a policy to all people whose organization unit (ou) is marketing, insert the following search expression in the Manual Entry field:
ou=Marketing
Click OK.
The User Directory Search Expression Editor closes and the user DN you entered appears in the group box of the directory.
Click Submit to save your changes.
The organization unit is bound to the policy.

Bind Policies to Organizations

To bind a policy to an organization, specify an LDAP search expression that defines an organization.

To bind organizations to a policy with the Manual Entry Field

Navigate to Policy, Users.
Locate the group box with the user directory that you want to search, and then click Add Entry.
The User Directory Search Expression Editor opens.
Click the Where to Search drop-down list, and then select Search Organizations.
In the Manual Entry field, specify an organization.
For example, to bind a policy to all people whose organization (o) is myorg.org, insert the following search expression in the Manual Entry field:

o=myorg.org
Click OK.
The User Directory Search Expression Editor closes and the organization you entered appears in the group box of the directory.
Click Submit to save your changes.
The organization is bound to the policy.

Bind Policies to Organization Attributes

To bind a policy to organization attributes, specify an LDAP search expression that defines conditions related to organization attributes that must be true.

To bind users to a policy with the Manual Entry Field

Navigate to Policy, Users.
Locate the group box with the user directory that you want to search, and then click Add Entry.
The User Directory Search Expression Editor opens.
Click the Where to Search drop-down list, and then select Search Organizations.
In the Manual Entry field, specify an organization attribute. For example, to bind a policy to all organizations located in the state of Massachusetts in the USA, insert the following search expression in the Manual Entry field:
(&(c=USA)(s=Massachusetts))
Click OK.
The User Directory Search Expression Editor closes and the organization attribute you entered appears in the group box of the directory.
Click Submit to save your changes.
The policy is bound to the organization attributes.

More information:

Add an LDAP Expression to a Policy

Binding Policies to Custom Object Classes

CA SiteMinder® can be configured to bind policies to custom object classes. If you have the Software Development Kit installed, see the API Reference Guide for C for more information.

Policy Bindings for WinNT User Directories

When CA SiteMinder® authenticates a user, it establishes a user context. Subsequently, access control policy decisions are based on the user context matching one of the criteria shown below.

User Namespace	Description
User	The user’s user name must match the user name specified in the policy.
User Group	The user must be a member of the user group specified in the policy.

Generally, you bind users to policies on the Policy pane by selecting an entry from the list of available directory entries. However, individual users are not visible in the list of available directory entries.

More information:

Add Users to a Policy

Bind Policies to Users with the Manual Entry Field

On the User Directories pane, there are two ways to bind individual users to a policy. You can click Add Members on a user directory group box and use the attribute-value search feature on the Users/Groups pane. Or you can click Add Entry on a user directory group box and use the User Directory Search Expression Editor.

To bind individual users to a policy by using the Manual Entry field

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Entry on a user directory group box.
The User Directory Search Expression Editor pane opens.
Specify a user DN on the Condition and Infix Notation group boxes.
Click OK.
The User Directories pane reopens, and the specified users are added to the user directory group box.
Click Submit.
The Create or Modify Policy task is submitted for processing.

More information:

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to Users with the Search Feature

To bind individual users to a policy by using the search feature

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Members on a user directory group box.
The Users/Groups pane opens.
Specify search criteria, and click Go
A list of users that match the search criteria opens.
Select the users that you want, and click OK.
The User Directories pane reopens, and the selected users are added to the user directory group box.
Click Submit.
The Create or Modify Policy task is submitted for processing.

More information:

Search User Directories

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to User Groups

You can bind a policy to a user group.

To bind a policy to a user group

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Members on a user directory group box.
The Users/Groups pane opens.
Select a user group.
Click OK.
The User Directories pane reopens, and the selected user group is added to the user directory group box.

More information:

Add Users to a Policy

Policy Bindings for Microsoft SQL Server and Oracle User Directories

When CA SiteMinder® authenticates a user, it establishes a user context. Subsequently, access control policy decisions are based on the user context matching one of the criteria shown in below.

User Namespace	Description
User	The user’s name must match the user name specified in the policy.
User Group	The user must be a member of the user group specified in the policy.
User Attribute	The search expression specifying conditions related to user attributes must be true.
SQL query	The SQL query specifying conditions related to the user must be true.

Generally, you would bind users or user attributes to policies on the Policy Users/Groups pane by selecting an entry from the list of available directory entries. However, individual users may not be visible in the list of available directory entries (depending on the setup of Query Enumerate in the SQL query scheme for the user directory).

More information:

Add Users to a Policy

Bind Policies to Users with the Manual Entry Field

To bind individual users to a policy by using the Manual Entry field

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Entry on a user directory group box.
The User Directory Search Expression Editor pane opens.
Specify a user DN on the Condition and Infix Notation group boxes.
Click OK.
The User Directories pane reopens, and the specified users are added to the user directory group box.
Click Submit.
The Create or Modify Policy task is submitted for processing.

More information:

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to Users with the Search Feature

To bind individual users to a policy by using the search feature

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Members on a user directory group box.
The Users/Groups pane opens.
Specify search criteria, and click Go
A list of users that match the search criteria opens.
Select the users that you want, and click OK.
The User Directories pane reopens, and the selected users are added to the user directory group box.
Click Submit.
The Create or Modify Policy task is submitted for processing.

More information:

Search User Directories

Add Users to a Policy

Add Users by Manual Entry

Bind Policies to User Groups

You can bind a policy to a user group.

To bind a policy to a user group

Navigate to Policy, Users.
A list of the user directories that are associated with the domain opens on the User Directories pane.
Click Add Members on a user directory group box.
The Users/Groups pane opens.
Select a user group.
Click OK.
The User Directories pane reopens, and the selected user group is added to the user directory group box.

More information:

Add Users to a Policy

Bind Policies to User Attributes

To bind policies to user attributes, specify a search expression that defines conditions related to user attributes that must be true.

For example, to bind a policy to all people whose area code is 555, insert the following expression in the Manual Entry field: (areacode=’555’).