Previous Topic: Define the Security Policy for a Web Application in an Application ObjectNext Topic: Domains


Use Cases for Defining Application Security Policies Using Application Objects

Learn how to define application security policies using application objects by reviewing the following use cases:

Application Security Policy to Protect a Web Portal

In this use case, a software company, sample-software-company.com, has a web portal that provides information about the company and its products to the public.

Anyone can access the main home page and product information pages, such as promotional materials and white papers without restrictions. This area of the web portal does not require any security policy. Access to the software downloads area; however, is restricted to registered customers. Each customer is assigned a user name and password which is stored in an LDAP directory server.

The following use case shows how an application security policy protects the restricted software downloads area so that only registered customers have access.

Given:

Solution:

To solve this use case, use the following process:

  1. Identify the web portal that needs protecting and select the directory containing the customer information.
  2. Create separate resources for the software download area of the portal.
  3. Create a registered customers role.
  4. Associate the resources with the registered customers role to create an application security policy.
Identify the Web Portal and Select the User Directory

An application security policy for a web portal must specify the top-level location of the resources that you want to protect, and a directory of users who are authorized to use the resources.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To identify the web portal and select the directory server

  1. Click Policies, Application.
  2. Click Applications.

    The Applications page appears.

  3. Click Create Application.

    The Create Application page appears.

  4. Enter the name and description of the application. Provide distinctive values that help you remember its purpose or function, as shown in the following examples:

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

    Name

    Sample Software Company Portal

    Description

    Allows access to all parts of the portal except the downloads area.

  5. In Components, provide a name for the component and specify the directory that contains the resources you want to protect. For this web portal use case, use the following example:
    Component Name

    Downloads

    Agent Type

    Web Agent

    Agent

    PortalAgent

    Resource Filter

    /downloads

    Note: A subcomponent can be created only after you save the main component.

  6. Accept the defaults for the remaining settings.
  7. In User Directories, click Add/Remove.

    The Choose User Directories page appears.

  8. Select the directory that contains the relevant users then click the right arrow to move the directory from the Available members column to the Selected Members column.
  9. Click OK.

    You return to the General tab.

  10. Click Submit.

    The web portal application is identified and the directory selected.

Create the Web Portal Resources

After the location of the resources and the user directory have been specified, the individual resources in the subdirectories of the web portal that you want to protect must be specified.

To create the web portal resources

  1. Click the Resources tab.

    A list of resources appears.

  2. Click Create.

    The Create Application Resource pane opens.

  3. Enter values for the fields in the General group box. Select distinctive values that help you remember its purpose or function, as shown in the following examples:
    Name

    Downloads Area

    Description

    Software downloads restricted to registered customers

    Resource

    *

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Verify that the Effective Resource matches what you want to protect. For this use case, the effective resource is:
    Effective Resource

    /downloads/*

    This string specifies that all resources in the downloads directory are protected.

  5. Verify that the Web Agent actions radio button in the action group box is selected, and then click the following items in the Action list:
  6. Click OK.

    The web portal resource is created and appears in the resources list.

Create the Web Portal Roles

After the web portal resources have been specified, create a role for the registered customers of the web portal. A role associates resources with groups of users.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create web portal roles

  1. Click the Roles tab.
  2. Click Create Role.
  3. Verify that the Create a new object of type Role button is selected, and then click OK.

    The Create Role pane opens.

  4. Enter values for the fields in the General group box. Choose distinctive values that help you remember its purpose or function, as shown in the following examples:
    Name

    Registered Customers

    Description

    Registered customers permitted to access software downloads.

    Role applies to

    All Users

    Note: The Users Setup and Advanced group boxes do not apply when this option is set and are no longer displayed.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  5. Click OK.

    The registered customers role is created.

Create the Web Portal Policy

After the resources and roles have been created, you must associate the resources of the web portal you want to protect with the roles of the users who will access the resources in the web portal. This creates the policies that protect your applications.

To create the policy to protect the web portal

  1. Click the Policies tab.
  2. Select the Registered Customers role in the Software Downloads row.

    By selecting this role, you indicate that only registered customers have access to the software downloads area of the web portal.

  3. Click Submit.

    A confirmation screen appears. The application security policy for the web portal is created.

Displaying the List of Resources

You can sort how list of resources is displayed by clicking one of the following radio buttons:

Name

Sorts resources according to the name you provided when you specified the resource.

Example: Software Downloads

Filter

Sorts resources according to the actual resource that is being protected.

Example: * (asterisk indicates all resources)

Application Security Policies Based on Roles

In this use case, a financial services company, acme-financial.com, has an internal human resources application that handles benefits and performance management. All employees should have access to the benefits portion of the application while only managers should be permitted access to the performance management portion.

The following procedures detail how you can use the EPM model together with application roles to create a security policy for the human resources application.

Given:

Solution for application security based on roles:

To solve this use case, you complete the following steps:

  1. Create an application.
  2. Select the user directory where you locate the users that meet the role criteria.
  3. Specify the resources that are the sub-components of the main application.
  4. Define the two roles that should have access to the application.
  5. Combine the resources and roles into an application policy.
Identify the Application that Needs Protecting

In this use case, you need to establish different access privileges for different parts of the human resources application. To do this, you must identify the directories underneath the main application and configure the appropriate access.

To protect the example human resources application

  1. Click Policies, Application.
  2. Click Applications.

    The Applications page appears.

  3. Click Create Application.

    The Create Application page appears.

  4. Click the General tab.
  5. Enter values for the following fields in General. For this use case, the following data is specified:
    Name

    HR Application

    Description

    Identifies the internal human resources application

  6. Enter values for the following fields in Components. For this use case, the following data is specified:
    Component Name

    Benefits

    Agent Type

    Web Agent

    Agent

    hrportal agent

    Resource Filter

    /benefits

    Default Resource Protection

    Protected

    Authentication Scheme

    Basic

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

    Note: A subcomponent can be created only after you save the main component.

  7. Specify the user directory associated with the resources being protected. This directory is where CA SiteMinder® will locate users who meet the role criteria.
    1. Click Add/Remove.
    2. Select Employees from the Available Members box and click the right arrow to place this group in the Selected Members box.
    3. Click OK.

The human resources application is now identified.

Designate the Application Resources

After specifying the sub-areas of the main application that you want to protect, you can then designate the specific resources within that subdirectory that you want to protect with an application policy.

For this use case, there are two resources to protect:

To specify the specific resources or functions of the main application

  1. Click the Resources tab.
  2. Click Create.

    The Resource pane opens.

  3. Enter values for the fields in the General group box. For this use case, enter the following:
    Name

    Benefits Management

    Description

    Lets employees manage their benefits

  4. Enter values for the fields in the Attributes group box. For this use case, enter the following:
    Resource

    managebenefits.jsp

  5. Repeat steps 2–4, but enter the following information:
    Name

    Performance Appraisals

    Description

    Lets a manager write an appraisal report and salary review for an employee

    Resource

    salaryincrease.jsp

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

The resources associated with the performance management application are now defined.

Create an Employee Role

After defining the specific components of an application that require protection, you specify roles that define the set of users who have access to a particular resource. Create a role for all employees.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create a role

  1. Click the Roles tab.
  2. Click Create Role.

    The Create Role pane appears.

  3. Verify that the Create option is selected, and click OK.
  4. Enter values for the fields in the General group box. For this use case, enter the following:
    Name

    Employees

    Description

    All employees of Acme Financial Services

    Role applies to

    All Users

    Note: The Users Setup and Advanced group boxes do not apply when this option is set and are no longer displayed.

  5. Click OK.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Create a Manager Role

After defining the specific components of an application that require protection, specify roles that define the set of users who have access to a particular resource. Create a role for managers.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create a role

  1. Click the Roles tab.
  2. Click Create.

    The Create Role pane appears.

  3. Verify that the Create option is selected, and click OK.
  4. Enter values for the fields in the General group box. For this use case, enter the following:
    Name

    Managers

    Description

    Managers at Acme Financial Services

    Role applies to

    Selected Users

  5. Verify that the Role Applies to Selected Users option is selected and that the Users Setup and Advanced group boxes are visible.
  6. Define the set of users in the Managers role by making selections in the Users Setup group box. For this use case, select the following entry in the Member Groups table:
    cn=managers,ou=Groups,o=acme-financial.com
    

    This entry specifies the managers group in the corporate user directory.

  7. Click OK.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Use a Response to Supply Data to the Application

To make the human resources application more user friendly for employees of Acme Financial Services, you can configure a response that provides the employees ID on their benefit records.

To create a response that provides the employee ID:

  1. Click Response the Applications dialog.
  2. Click Create Response.

    The Create Response dialog opens.

  3. Complete the field as follows:
    Name

    Employee ID

    Description

    Lists the employee ID.

  4. Click Create Response Attribute.

    The Create Response Attribute dialog opens.

  5. Complete the fields as follows:
    Attribute

    WebAgent-HTTP-Header-Variable

    Attribute Kind

    User Attribute

    Attribute Fields—Variable Name

    Personnel_Key

    Attribute Fields—Variable Value

    EmployeeID

    Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.

  6. Keep the defaults for all the other fields.
  7. Click OK until you return to the main Response tab.

The response named Employee ID has been created. When an employee views her benefits information, the data from this response is returned to the human resources application and her customer ID will be displayed in the benefits record.

Establish a Policy Based on Roles

After you have defined the resources and roles, you can group these objects into application security policies.

To create the application security policies

  1. Click the Policies tab.

    The Policies pane opens and displays a table listing the configured resources and roles. This table lets you quickly see which roles can be granted access to which resources.

  2. Do the following:
    1. Check the Employees role in the Benefits Management row to create a policy that allows all employees to manage their benefits.
    2. Check the Managers role in the Performance Appraisals row to create a policy that allows only managers to access the performance appraisals.
  3. Click Submit.

You have created two security policies for the human resources application based on roles.

Note: If you need to edit resources or roles, you must make the changes on the respective tabs and not on the Policies pane.

Include Metadata that Describes the Application

Acme-financial.com wants to ensure that there is some descriptive information about the internal human resources application. Custom attributes can be used to define metadata that describes the application.

The information that Acme-financial wants for the purpose of the application and the date the application was completed.

Follow these steps:

  1. Click the Custom Attributes tab.

    The Custom Attributes dialog opens.

  2. Click Create.

    A table appears with Name and Value fields.

  3. Enter values for the fields in the custom attributes table. For this use case, enter the following:
    Name

    App_Completed

    Value

    November_22_2007

  4. Click Create to add another row to the table then enter the following:
    Name

    Purpose

    Value

    Human_Resource_Mgmt

  5. Click Submit.
Application Security Policies with User Mapping and Named Expressions

In this use case, a retail clothing company wants to define a role preventing customers from making web-based credit purchases if they have exceeded their credit limit. The company policy dictates that customers have a $1,000 credit limit, while company employees have a $2,000 credit limit.

You can create an application security policy using attribute mapping, named expressions (virtual user attributes and user classes) and roles to satisfy the corporate credit policy.

Given:

Solution:

  1. Define an attribute mapping.
  2. Establish a named expression.
  3. Use the attribute mapping in an advanced expression to establish roles.
  4. Create a response to customize the application further.
  5. Create an application security policy.

More information:

Named Expressions

Establish Mappings for the Two User Directories

The retail company maintains two directories. To create a universal schema that identifies customers in both user directories use attribute mappings, which you create in the Administrative UI.

To create attribute mappings for this use case

  1. Create a group membership attribute for Directory A:
  2. Create a constant attribute for Directory B:

IsCustomer results in a common view of the same user information. You can reference IsCustomer in an expression to determine whether a user is a customer.

Review the section Define Attribute Mappings for detailed procedures on how to configure attribute mappings.

Define Named Expressions to Check the Credit Limit

Named expressions enable CA SiteMinder® to calculate each users credit limit and account balances. An expression can also determine if customers are over their credit limit.

To define named expressions for this use case

  1. Define a virtual user attribute that calculates a $1,000 dollar credit limit for customers and a $2,000 credit limit for employees:
  2. Define a virtual user attribute that retrieves account balances from the accounting database:
  3. Create a user class expression that determines if customers are over their credit limit:

Read Define Named Expressions for details on creating virtual user attributes and user class expressions.

Protect the Online Shopping Application

In this use case, you want to establish access privileges with specific conditions for the store's Web-based shopping application.

To protect the web-based shopping application

  1. Click Policies, Application.
  2. Click Applications.

    The Applications page appears.

  3. Click Create Application.

    The Create Application page appears.

  4. Click the General tab.
  5. Enter values for the following fields. For this use case, the following data is specified:
    Name

    Online Catalog

    Description

    Identifies the clothing stores Web-based shopping application

  6. Enter values for the following fields in Components. For this use case, the following data is specified:
    Component Name

    Catalog

    Agent Type

    Web Agent

    Agent

    Web Retail Agent

    Resource Filter

    /webcatalog

    Default Resource Protection

    Protected

    Authentication Scheme

    Basic

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

    Note: A subcomponent can be created only after you save the main component.

  7. Specify the user directory associated with the resources being protected. This directory is where CA SiteMinder® will locate users who meet the role criteria.
    1. Click Add/Remove.
    2. Select IsCustomer from the Available Members box and click the right arrow to place this group in the Selected Members box.

      IsCustomers maps to the users in both directories associated with the clothing store.

    3. Click Submit.

You have now created an application called Online Catalog.

Designate the Resource Requiring Protection

For this use case, you want to protect the checkout process so that users who exceed their credit limit cannot complete the transaction. Therefore, you need to add a resource to the Online Catalog application you just created.

To protect the specific resource of the web-based shopping application

  1. Click Policies, Application.
  2. Click Applications.

    The Applications page appears.

  3. Specify search criteria and click Search.

    The Applications matching the criteria appear.

  4. Click the name of the application you want to modify. For this use case, click Online Catalog.

    The View Application page appears.

  5. Scroll down the page and click Modify.

    The settings and controls become active.

  6. Select the Resources tab.
  7. Click Create.

    The Create Resource page appears.

  8. Enter values for the following fields. For this use case, enter the following:
    Name

    Checkout

    Description

    Lets you total your purchases and pay for them.

  9. Enter values for the following fields in Attributes. For this use case, enter the following:
    Resource

    total_charges.jsp

  10. Select Web Agent actions in Action and select the actions Get and Post.
  11. Click OK.

You have created a resource called Checkout.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Configure the Customer Role

After the web portal resource is defined, create an application role that lets customers make web-based purchases as long as they have not exceeded their credit limit.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create this credit-based role

  1. Click the Roles tab.
  2. Click Create Role.

    The Create Role dialog appears.

  3. Verify that the Create option is selected, and click OK.

    The Create Role dialog opens.

  4. Enter values for the fields in the General group box. For this use case, enter the following:
    Name

    PurchasewithCredit

    Description

    Indicates that the customer uses credit to pay for their purchases.

    Role applies to

    Selected users

  5. Enter an expression in the Advanced Expression group box. For this use case, enter the following:
    User Expression

    @IsUnderCreditLimit

    The role expression is the product of the two virtual user attribute expressions #Balance and #CreditLimit, which calculate whether the user has exceeded their credit limit.

  6. Click OK.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

You have created a role named PurchasewithCredit, whose value is the combination of two named expressions.

Customize the Application with a Response

To provide a more personalized experience for the customer, the retail clothing company can configure a response that lets customers who are over their credit limit apply for increased credit. If a customer has exceeded their credit limit, this response will redirect them to a credit application where they can apply for a higher credit limit.

To create a response

  1. Click on the Response tab.
  2. Click Create Response.

    The Create Response dialog opens.

  3. Complete the field as follows:
    Name

    CreditNotice

    Description

    Alerts users they have exceeded credit limit.

  4. Click Create Response Attribute.

    The Create Response Attribute dialog opens.

  5. Complete the fields and settings as follows:
    Attribute

    WebAgent-OnReject-Redirect

    Attribute Kind

    Static

    Attribute Fields—Variable Value

    http://catalog.retailcorp.com/credit_notice.jsp

    Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.

  6. Keep the defaults for all the other fields.
  7. Click OK.

The response named CreditNotice has been created and will be sent to customers who exceed their credit limit.

Configure the Security Policy for the Shopping Application

After you have defined the resource, role, and response, configure the policy that secures the Web-based shopping application.

Follow these steps:

  1. Click the Policies tab.

    The Policies dialog opens and displays a table listing the Checkout resource and the PurchaseWithCredit role displayed.

  2. Select the PurchaseWithCredit role for the Checkout resource.

    This pairing establishes a policy that lets all customers make a purchase with the store's credit card, if they have not exceeded their credit limit. Additionally, by checking the role the Responses grid becomes populated.

  3. Select the CreditNotice response for the Checkout resource.

You now have a security policies for the online catalog application based on roles that define a spending limit. Additionally, a response is associated with the policy and will be sent to those customers who continue to make purchases after exceeding their limit.

Provide Metadata to Describe the Application

The retail clothing company wants to ensure that there is some descriptive information about the online catalog application. Custom attributes can be used to provide metadata that describes the application.

The retail clothing company wants to note that the application is only for the online catalog and the email address of the administrator of this application.

To specify metadata for the online catalog application:

  1. Click the Custom Attributes tab.

    The Custom Attributes dialog opens.

  2. Click Create.

    A table appears with Name and Value fields.

  3. Enter values for the fields in the custom attributes table. For this use case, enter the following:
    Name

    App_Function

    Value

    online_retail

  4. Click Create to add another row to the table then enter the following:
    Name

    Admin_email

    Value

    jdoe@retailcorp.com

  5. Click Submit.

You have completed all the available tasks related to creating an application security policy.

Application Security Policy Based on CA DataMinder Content Classifications

In this use case, a financial services company, Forward Inc., has deployed Microsoft SharePoint. The company wants to:

Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.

The following details how to configure an application with CA DataMinder content classifications to create a security policy that protects employee compensation information.

Given:

Solution:

  1. Protect the shared documents directory.
  2. Protect all document resources.
  3. Create the human resources role.
  4. Establish a policy that is based on the human resources role.
Protect the Shared Documents Directory

For this use case, the highest point in the SharePoint environment that you want to protect is the shared documents directory. You leave the SharePoint site (usecase.forwardinc.com/SitePages/Home.aspx) unprotected to be sure that all employees have access.

Follow these steps:

  1. Click Policies, Application.
  2. Click Applications.
  3. Click Create Application.
  4. Select the Use DLP Server option.
  5. Enter the required values for the General section. For this use case, the following data is specified:
    Name

    SharePoint Site

  6. Enter the required values in the Component section. For this use case, the following data is specified:
    Component Name

    Shared Documents

    Agent

    SharePoint

    Resource Filter

    /usecase.forwardinc.com/Shared Documents

  7. In the User Directories section, click Add/Remove to list all user directories available to the application policy.
  8. Select a user directory and click OK. For this use case, the following user directory is specified:

    ForwardLDAP

  9. In the DLP Classifications section, remove any content classifications that you do not want to add to the component. For this use case, do not remove any classifications.
  10. Click Submit to save the application.
Protect All Document Resources

For this use case, you want to protect all documents in the Shared Documents directory. You protect all document resources by adding a resource to the application.

Follow these steps:

  1. Click Policies, Application.
  2. Click Applications.
  3. Specify search criteria and click Search.
  4. Identify the application you want to modify and click the modify icon. For this use case, modify the following application:

    SharePoint Site.

  5. Select the Resources tab and click Create.
  6. Enter values for the following fields. For this use case, enter the following:
    Name

    All Documents

    Resource

    /*

  7. Select the type of event and action that must take place for the rule to fire. For this use case, select the following:
  8. Click OK to save the resource.
  9. Click Submit to add the resource to the component.
Create the Human Resources Role

For this use case, you want to create a role that that only lets human resources employees access to documents that contain compensation information.

Follow these steps:

  1. Click Policies, Application.
  2. Click Applications.
  3. Specify search criteria and click Search.
  4. Identify the application you want to modify and click the modify icon. For this use case, modify the following application:

    SharePoint Site.

  5. Select the Roles tab and click Create Role.
  6. Select the following option:

    Create a new object of type role

  7. Click OK.
  8. Enter values in the General section. For this use case, enter the following:
    Name

    Human Resources

    Description

    A role that has access documents that contain employee compensation information.

  9. Specify if the role is to apply to all or specific users in the available directories. For this use case, select the following option:

    Selected Users

  10. Define the role members in the Users Setup section. For this use case, select the following organization in the Member Groups section:

    cn=human resources,o=forwardinc.com

  11. Add content classifications to the role in the DLP Classifications section. For this use case, select the following:
  12. Click OK to save the role.
  13. Click Submit to add the role to the application.
Establish a Policy Based on the Human Resource Role

For this use case, you want to create a policy that protects documents that contain employee compensation information.

Follow these steps:

  1. Click Policies, Application.
  2. Click Applications.
  3. Specify search criteria and click Search.
  4. Identify the application that you want to modify and click the modify icon. For this use case, modify the following application:

    SharePoint Site.

  5. Select the Policies tab.
  6. Select the Human Resources role for the All Documents resource.
  7. Click Submit.

    A policy that only lets human resources employees access SharePoint documents that contain employee compensation information is created.