There are a number of advanced features you can use when setting up policies in the Administrative UI. These features include the following:
This feature lets you specify certain IP addresses that a user must be using in order for a policy to fire.
This feature lets you specify times during which the policy fires. If you add a time restriction to a policy, the policy is effectively disabled outside of the specified times.
This feature lets you have a function call invoked in a shared library created with the CA SiteMinder® API. The function call determines whether or not the policy fires.
You specify that a policy should only fire for users who access the policy's resources from a specific:
For example, if you include a rule that allows access to resources in the policy, and then you specify a range of IP addresses, only those users who login in from one of the specified IP addresses will be allowed access to the protected resources.
You specify a single IP address to ensure that the policy only fires for users who access the policy’s resources from the specified IP address.
To specify single IP address
Settings for IP addresses appear.
Settings specific to a single host appear.
The IP address appears in the IP Address group box.
Note: If you do not know the IP address, but have the domain name for the address, click DNS Lookup. Enter a fully qualified host name to look up the IP address.
The policy is saved.
You specify a host name to ensure the policy only fires for users who access the policy’s resources from the specified host.
To specify a host name
Settings for IP Addresses appear.
Settings specific to a host name appear.
The host name appears in the IP Address group box.
The policy is saved.
You specify a subnet mask to ensure the policy only fires for users who access the policy’s resources from the specified subnet mask.
To add a subnet mask
Settings for IP Addresses appear.
Settings specific to the subnet mask appear.
Note: If you do not know the IP address, but have the domain name for the address, click DNS Lookup. Enter a fully qualified host name to look up the IP address.
The subnet mask appears in the IP Address group box.
The policy is saved.
You specify a range of IP addresses to ensure that the policy only fires for users who access the policy’s resources from one of the IP addresses included in the range of addresses.
To add a range of IP addresses
Settings IP Addresses appear.
Settings specific to a range of IP addresses appear.
Note: If you do not know an IP address, but have the domain name for the address, click DNS Lookup. Enter a fully qualified host name to look up the IP address.
The range of IP addresses appears in the IP Address group box.
The policy is saved.
The Administrative UI lets you add time restrictions to a policy. When you add a time restriction, the policy only fires during the period specified by the time restriction. If a user attempts to access a resource outside of the period specified by the time restriction, the policy does not fire.
For example, if you create a time restriction for a policy that secures access to a resource, and specifies that the policy will only fire from 9am - 5 pm, Monday - Friday. A user will only be authenticated and authorized during the times indicated in the time restriction. The resources protected by the policy will not be available outside the times indicated.
Note: Time restrictions are based on the system clock of the server on which the Policy Server is installed.
If you specify a time restriction for a policy, and that policy contains a rule with a time restriction, the policy fires during the times that are intersection of the two restrictions.
For example, if a policy has a time restriction of 9AM to 5PM, and a rule has a time restriction of Monday through Friday, then the policy only fires between 9AM and 5PM, Monday through Friday.
You add time restrictions to a policy to ensure that the policy only fires at specific times.
To add a time restriction to a policy
The Time Restrictions pane appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: Each check box represents one hour. When a check box is selected, the rule fires during that hour, and the rule applies to the specified resources. When a check box is cleared, the rule does not fire during that hour, and the rule will not apply to the specified resources.
The time restrictions are saved.
An active policy is used for dynamic authorization based on external business logic. An active policy is included in the authorization decision by having the Policy Server invoke a function in a customer-supplied shared library.
This shared library must conform to the interface specified by the Authorization API, which is available separately with the Software Development Kit.
Note: More information exists in API Reference Guide for C.
To configure an Active Policy
Active policy settings appear.
The policy is saved.
Copyright © 2013 CA.
All rights reserved.
|
|