Policy Server Guides › Policy Server Configuration Guide › Policies › Advanced Policy Options

Advanced Policy Options

There are a number of advanced features you can use when setting up policies in the Administrative UI. These features include the following:

• IP Addresses

  This feature lets you specify certain IP addresses that a user must be using in order for a policy to fire.

• Time Restrictions

  This feature lets you specify times during which the policy fires. If you add a time restriction to a policy, the policy is effectively disabled outside of the specified times.

• Active Policies

  This feature lets you have a function call invoked in a shared library created with the CA SiteMinder® API. The function call determines whether or not the policy fires.

More information:

Enable and Disable Policies

Allowable IP Addresses for Policies

You specify that a policy should only fire for users who access the policy's resources from a specific:

• IP address
• host name
• subnet mask
• range of IP addresses

For example, if you include a rule that allows access to resources in the policy, and then you specify a range of IP addresses, only those users who login in from one of the specified IP addresses will be allowed access to the protected resources.

Specify a Single IP Address

You specify a single IP address to ensure that the policy only fires for users who access the policy’s resources from the specified IP address.

To specify single IP address

1. Open the policy.
2. Click Add in the IP Address group box.

   Settings for IP addresses appear.

3. Select the Single Host radio button.

   Settings specific to a single host appear.

4. Enter the IP Address, and click OK.

   The IP address appears in the IP Address group box.

   Note: If you do not know the IP address, but have the domain name for the address, click DNS Lookup. Enter a fully qualified host name to look up the IP address.

5. Click Submit.

   The policy is saved.

Specify a Host Name

You specify a host name to ensure the policy only fires for users who access the policy’s resources from the specified host.

To specify a host name

1. Open the policy.
2. Click Add in the IP Address group box.

   Settings for IP Addresses appear.

3. Select the Host Name radio button.

   Settings specific to a host name appear.

4. Enter the host name, and Click OK

   The host name appears in the IP Address group box.

5. Click Submit.

   The policy is saved.

Add a Subnet Mask

You specify a subnet mask to ensure the policy only fires for users who access the policy’s resources from the specified subnet mask.

To add a subnet mask

1. Open the policy.
2. Click Add in the IP Address group box.

   Settings for IP Addresses appear.

3. Select the Subnet Mask radio button.

   Settings specific to the subnet mask appear.

4. Enter an IP address in the IP Address field.

   Note: If you do not know the IP address, but have the domain name for the address, click DNS Lookup. Enter a fully qualified host name to look up the IP address.

5. Enter a subnet mask in the Subnet Mask field.
6. Click OK.

   The subnet mask appears in the IP Address group box.

7. Click Submit.

   The policy is saved.

Add a Range of IP Addresses

You specify a range of IP addresses to ensure that the policy only fires for users who access the policy’s resources from one of the IP addresses included in the range of addresses.

To add a range of IP addresses

1. Open the policy
2. Click Add in the IP Address group box.

   Settings IP Addresses appear.

3. Select the Range radio button.

   Settings specific to a range of IP addresses appear.

4. Enter a starting IP Address in the From field.

   Note: If you do not know an IP address, but have the domain name for the address, click DNS Lookup. Enter a fully qualified host name to look up the IP address.

5. Enter an ending IP address in the To field.
6. Click OK.

   The range of IP addresses appears in the IP Address group box.

7. Click Submit.

   The policy is saved.

Time Restrictions for Policies

The Administrative UI lets you add time restrictions to a policy. When you add a time restriction, the policy only fires during the period specified by the time restriction. If a user attempts to access a resource outside of the period specified by the time restriction, the policy does not fire.

For example, if you create a time restriction for a policy that secures access to a resource, and specifies that the policy will only fire from 9am - 5 pm, Monday - Friday. A user will only be authenticated and authorized during the times indicated in the time restriction. The resources protected by the policy will not be available outside the times indicated.

Note: Time restrictions are based on the system clock of the server on which the Policy Server is installed.

How Rule and Policy Time Restrictions Interact

If you specify a time restriction for a policy, and that policy contains a rule with a time restriction, the policy fires during the times that are intersection of the two restrictions.

For example, if a policy has a time restriction of 9AM to 5PM, and a rule has a time restriction of Monday through Friday, then the policy only fires between 9AM and 5PM, Monday through Friday.

Add Time Restrictions to a Policy

You add time restrictions to a policy to ensure that the policy only fires at specific times.

To add a time restriction to a policy

1. Open the policy.
2. Click Set in the Time group box.

   The Time Restrictions pane appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. Specify starting and expiration dates.
4. Specify time restrictions in the Hourly Restrictions table.

   Note: Each check box represents one hour. When a check box is selected, the rule fires during that hour, and the rule applies to the specified resources. When a check box is cleared, the rule does not fire during that hour, and the rule will not apply to the specified resources.

5. Click OK.

   The time restrictions are saved.

Configure an Active Policy

An active policy is used for dynamic authorization based on external business logic. An active policy is included in the authorization decision by having the Policy Server invoke a function in a customer-supplied shared library.

This shared library must conform to the interface specified by the Authorization API, which is available separately with the Software Development Kit.

Note: More information exists in API Reference Guide for C.

To configure an Active Policy

1. Open the global policy.
2. Select the Edit Active Policy check box in the Advanced Group box.

   Active policy settings appear.

3. Enter the name of the shared library in the Library Name field.
4. Enter the name of the function in the shared library that is to implement the active policy.
5. Click Submit.

   The policy is saved.