Policy Server Guides › Policy Server Configuration Guide › Define the Security Policy for a Web Application in an Application Object › Use Cases for Defining Application Security Policies Using Application Objects

Use Cases for Defining Application Security Policies Using Application Objects

Learn how to define application security policies using application objects by reviewing the following use cases:

• Application Security Policy to Protect a Web Portal
• Application Security Policies Based on Roles
• Application Security Policies with User Mapping and Named Expressions
• Application Security Policy Based on CA DataMinder Content Classifications

Application Security Policy to Protect a Web Portal

In this use case, a software company, sample-software-company.com, has a web portal that provides information about the company and its products to the public.

Anyone can access the main home page and product information pages, such as promotional materials and white papers without restrictions. This area of the web portal does not require any security policy. Access to the software downloads area; however, is restricted to registered customers. Each customer is assigned a user name and password which is stored in an LDAP directory server.

The following use case shows how an application security policy protects the restricted software downloads area so that only registered customers have access.

Given:

• The CA SiteMinder® environment contains a single LDAP directory server that stores the user names and passwords for all of the registered customers.
• Customers must authenticate with a user name and password before they can access the software downloads area.

Solution:

To solve this use case, use the following process:

1. Identify the web portal that needs protecting and select the directory containing the customer information.
2. Create separate resources for the software download area of the portal.
3. Create a registered customers role.
4. Associate the resources with the registered customers role to create an application security policy.

Identify the Web Portal and Select the User Directory

An application security policy for a web portal must specify the top-level location of the resources that you want to protect, and a directory of users who are authorized to use the resources.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To identify the web portal and select the directory server

1. Click Policies, Application.
2. Click Applications.

   The Applications page appears.

3. Click Create Application.

   The Create Application page appears.

4. Enter the name and description of the application. Provide distinctive values that help you remember its purpose or function, as shown in the following examples:

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Name

   Sample Software Company Portal

   Description

   Allows access to all parts of the portal except the downloads area.

5. In Components, provide a name for the component and specify the directory that contains the resources you want to protect. For this web portal use case, use the following example:

   Component Name

   Downloads

   Agent Type

   Web Agent

   Agent

   PortalAgent

   Resource Filter

   /downloads

   Note: A subcomponent can be created only after you save the main component.

6. Accept the defaults for the remaining settings.
7. In User Directories, click Add/Remove.

   The Choose User Directories page appears.

8. Select the directory that contains the relevant users then click the right arrow to move the directory from the Available members column to the Selected Members column.
9. Click OK.

   You return to the General tab.

10. Click Submit.

    The web portal application is identified and the directory selected.

Create the Web Portal Resources

After the location of the resources and the user directory have been specified, the individual resources in the subdirectories of the web portal that you want to protect must be specified.

To create the web portal resources

1. Click the Resources tab.

   A list of resources appears.

2. Click Create.

   The Create Application Resource pane opens.

3. Enter values for the fields in the General group box. Select distinctive values that help you remember its purpose or function, as shown in the following examples:

   Name

   Downloads Area

   Description

   Software downloads restricted to registered customers

   Resource

   *

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Verify that the Effective Resource matches what you want to protect. For this use case, the effective resource is:

   Effective Resource

   /downloads/*

   This string specifies that all resources in the downloads directory are protected.

5. Verify that the Web Agent actions radio button in the action group box is selected, and then click the following items in the Action list:
   • Get
   • Post
6. Click OK.

   The web portal resource is created and appears in the resources list.

Create the Web Portal Roles

After the web portal resources have been specified, create a role for the registered customers of the web portal. A role associates resources with groups of users.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create web portal roles

1. Click the Roles tab.
2. Click Create Role.
3. Verify that the Create a new object of type Role button is selected, and then click OK.

   The Create Role pane opens.

4. Enter values for the fields in the General group box. Choose distinctive values that help you remember its purpose or function, as shown in the following examples:

   Name

   Registered Customers

   Description

   Registered customers permitted to access software downloads.

   Role applies to

   All Users

   Note: The Users Setup and Advanced group boxes do not apply when this option is set and are no longer displayed.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Click OK.

   The registered customers role is created.

Create the Web Portal Policy

After the resources and roles have been created, you must associate the resources of the web portal you want to protect with the roles of the users who will access the resources in the web portal. This creates the policies that protect your applications.

To create the policy to protect the web portal

1. Click the Policies tab.
2. Select the Registered Customers role in the Software Downloads row.

   By selecting this role, you indicate that only registered customers have access to the software downloads area of the web portal.

3. Click Submit.

   A confirmation screen appears. The application security policy for the web portal is created.

Displaying the List of Resources

You can sort how list of resources is displayed by clicking one of the following radio buttons:

Name

Sorts resources according to the name you provided when you specified the resource.

Example: Software Downloads

Filter

Sorts resources according to the actual resource that is being protected.

Example: * (asterisk indicates all resources)

Application Security Policies Based on Roles

In this use case, a financial services company, acme-financial.com, has an internal human resources application that handles benefits and performance management. All employees should have access to the benefits portion of the application while only managers should be permitted access to the performance management portion.

The following procedures detail how you can use the EPM model together with application roles to create a security policy for the human resources application.

Given:

• The CA SiteMinder® environment contains one user LDAP directory, called AcmeLDAP.
• The user directory identifies all employees and employees who are managers. They are defined in the directory as follows:
  • group:cn=employees,ou=Groups,o=acme-financial.com
  • group:cn=managers,ou=Groups,o=acme-financial.com
• Employees, including managers, must authenticate with the Basic authentication scheme

Solution for application security based on roles:

To solve this use case, you complete the following steps:

1. Create an application.
2. Select the user directory where you locate the users that meet the role criteria.
3. Specify the resources that are the sub-components of the main application.
4. Define the two roles that should have access to the application.
5. Combine the resources and roles into an application policy.

Identify the Application that Needs Protecting

In this use case, you need to establish different access privileges for different parts of the human resources application. To do this, you must identify the directories underneath the main application and configure the appropriate access.

To protect the example human resources application

1. Click Policies, Application.
2. Click Applications.

   The Applications page appears.

3. Click Create Application.

   The Create Application page appears.

4. Click the General tab.
5. Enter values for the following fields in General. For this use case, the following data is specified:

   Name

   HR Application

   Description

   Identifies the internal human resources application

6. Enter values for the following fields in Components. For this use case, the following data is specified:

   Component Name

   Benefits

   Agent Type

   Web Agent

   Agent

   hrportal agent

   Resource Filter

   /benefits

   Default Resource Protection

   Protected

   Authentication Scheme

   Basic

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Note: A subcomponent can be created only after you save the main component.

7. Specify the user directory associated with the resources being protected. This directory is where CA SiteMinder® will locate users who meet the role criteria.
   1. Click Add/Remove.
   2. Select Employees from the Available Members box and click the right arrow to place this group in the Selected Members box.
   3. Click OK.

The human resources application is now identified.

Designate the Application Resources

After specifying the sub-areas of the main application that you want to protect, you can then designate the specific resources within that subdirectory that you want to protect with an application policy.

For this use case, there are two resources to protect:

• benefits management
• performance appraisals

To specify the specific resources or functions of the main application

1. Click the Resources tab.
2. Click Create.

   The Resource pane opens.

3. Enter values for the fields in the General group box. For this use case, enter the following:

   Name

   Benefits Management

   Description

   Lets employees manage their benefits

4. Enter values for the fields in the Attributes group box. For this use case, enter the following:

   Resource

   managebenefits.jsp

5. Repeat steps 2–4, but enter the following information:

   Name

   Performance Appraisals

   Description

   Lets a manager write an appraisal report and salary review for an employee

   Resource

   salaryincrease.jsp

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

The resources associated with the performance management application are now defined.

Create an Employee Role

After defining the specific components of an application that require protection, you specify roles that define the set of users who have access to a particular resource. Create a role for all employees.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create a role

1. Click the Roles tab.
2. Click Create Role.

   The Create Role pane appears.

3. Verify that the Create option is selected, and click OK.
4. Enter values for the fields in the General group box. For this use case, enter the following:

   Name

   Employees

   Description

   All employees of Acme Financial Services

   Role applies to

   All Users

   Note: The Users Setup and Advanced group boxes do not apply when this option is set and are no longer displayed.

5. Click OK.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Create a Manager Role

After defining the specific components of an application that require protection, specify roles that define the set of users who have access to a particular resource. Create a role for managers.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create a role

1. Click the Roles tab.
2. Click Create.

   The Create Role pane appears.

3. Verify that the Create option is selected, and click OK.
4. Enter values for the fields in the General group box. For this use case, enter the following:

   Name

   Managers

   Description

   Managers at Acme Financial Services

   Role applies to

   Selected Users

5. Verify that the Role Applies to Selected Users option is selected and that the Users Setup and Advanced group boxes are visible.
6. Define the set of users in the Managers role by making selections in the Users Setup group box. For this use case, select the following entry in the Member Groups table:

   cn=managers,ou=Groups,o=acme-financial.com
   

   This entry specifies the managers group in the corporate user directory.

7. Click OK.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Use a Response to Supply Data to the Application

To make the human resources application more user friendly for employees of Acme Financial Services, you can configure a response that provides the employees ID on their benefit records.

To create a response that provides the employee ID:

1. Click Response the Applications dialog.
2. Click Create Response.

   The Create Response dialog opens.

3. Complete the field as follows:

   Name

   Employee ID

   Description

   Lists the employee ID.

4. Click Create Response Attribute.

   The Create Response Attribute dialog opens.

5. Complete the fields as follows:

   Attribute

   WebAgent-HTTP-Header-Variable

   Attribute Kind

   User Attribute

   Attribute Fields—Variable Name

   Personnel_Key

   Attribute Fields—Variable Value

   EmployeeID

   Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.

6. Keep the defaults for all the other fields.
7. Click OK until you return to the main Response tab.

The response named Employee ID has been created. When an employee views her benefits information, the data from this response is returned to the human resources application and her customer ID will be displayed in the benefits record.

Establish a Policy Based on Roles

After you have defined the resources and roles, you can group these objects into application security policies.

To create the application security policies

1. Click the Policies tab.

   The Policies pane opens and displays a table listing the configured resources and roles. This table lets you quickly see which roles can be granted access to which resources.

2. Do the following:
   1. Check the Employees role in the Benefits Management row to create a policy that allows all employees to manage their benefits.
   2. Check the Managers role in the Performance Appraisals row to create a policy that allows only managers to access the performance appraisals.
3. Click Submit.

You have created two security policies for the human resources application based on roles.

Note: If you need to edit resources or roles, you must make the changes on the respective tabs and not on the Policies pane.

Include Metadata that Describes the Application

Acme-financial.com wants to ensure that there is some descriptive information about the internal human resources application. Custom attributes can be used to define metadata that describes the application.

The information that Acme-financial wants for the purpose of the application and the date the application was completed.

Follow these steps:

1. Click the Custom Attributes tab.

   The Custom Attributes dialog opens.

2. Click Create.

   A table appears with Name and Value fields.

3. Enter values for the fields in the custom attributes table. For this use case, enter the following:

   Name

   App_Completed

   Value

   November_22_2007

4. Click Create to add another row to the table then enter the following:

   Name

   Purpose

   Value

   Human_Resource_Mgmt

5. Click Submit.

Application Security Policies with User Mapping and Named Expressions

In this use case, a retail clothing company wants to define a role preventing customers from making web-based credit purchases if they have exceeded their credit limit. The company policy dictates that customers have a $1,000 credit limit, while company employees have a $2,000 credit limit.

You can create an application security policy using attribute mapping, named expressions (virtual user attributes and user classes) and roles to satisfy the corporate credit policy.

Given:

• The CA SiteMinder® environment contains two user directories.
• Directory A stores employees. Employees can also be customers. Therefore, Directory A identifies employees that are also customers that belong to:

  group:cn=Customers,ou=Groups,o=acme.com
  

• Directory B only stores customers. Directory B does not have a user attribute that identifies customers because to store a user in Directory B implies the user is a customer.

Solution:

1. Define an attribute mapping.
2. Establish a named expression.
3. Use the attribute mapping in an advanced expression to establish roles.
4. Create a response to customize the application further.
5. Create an application security policy.

More information:

Named Expressions

Establish Mappings for the Two User Directories

The retail company maintains two directories. To create a universal schema that identifies customers in both user directories use attribute mappings, which you create in the Administrative UI.

To create attribute mappings for this use case

1. Create a group membership attribute for Directory A:
   • Name the attribute IsCustomer.
   • Define IsCustomer as: cn=Customers,ou=Groups,o=acme.com
2. Create a constant attribute for Directory B:
   • Name the attribute IsCustomer.
   • Define IsCustomer as "TRUE".

IsCustomer results in a common view of the same user information. You can reference IsCustomer in an expression to determine whether a user is a customer.

Review the section Define Attribute Mappings for detailed procedures on how to configure attribute mappings.

Define Named Expressions to Check the Credit Limit

Named expressions enable CA SiteMinder® to calculate each users credit limit and account balances. An expression can also determine if customers are over their credit limit.

To define named expressions for this use case

1. Define a virtual user attribute that calculates a $1,000 dollar credit limit for customers and a $2,000 credit limit for employees:
   • Name the attribute #CreditLimit.
   • Define #CreditLimit as:

     IsCustomer?1000:2000
     

     This calculation contains CA SiteMinder® supported expression syntax.

2. Define a virtual user attribute that retrieves account balances from the accounting database:
   • Name the attribute #Balance
   • Define the attribute as:

     (MyLibrary.GetBalance(""))
     

     This attribute definition is an active expression defined by the clothing retailer.

3. Create a user class expression that determines if customers are over their credit limit:
   • Name the attribute @IsUnderCreditLimit
   • Define the attribute as:

     (#Balance > #CreditLimit)
     

Read Define Named Expressions for details on creating virtual user attributes and user class expressions.

Protect the Online Shopping Application

In this use case, you want to establish access privileges with specific conditions for the store's Web-based shopping application.

To protect the web-based shopping application

1. Click Policies, Application.
2. Click Applications.

   The Applications page appears.

3. Click Create Application.

   The Create Application page appears.

4. Click the General tab.
5. Enter values for the following fields. For this use case, the following data is specified:

   Name

   Online Catalog

   Description

   Identifies the clothing stores Web-based shopping application

6. Enter values for the following fields in Components. For this use case, the following data is specified:

   Component Name

   Catalog

   Agent Type

   Web Agent

   Agent

   Web Retail Agent

   Resource Filter

   /webcatalog

   Default Resource Protection

   Protected

   Authentication Scheme

   Basic

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Note: A subcomponent can be created only after you save the main component.

7. Specify the user directory associated with the resources being protected. This directory is where CA SiteMinder® will locate users who meet the role criteria.
   1. Click Add/Remove.
   2. Select IsCustomer from the Available Members box and click the right arrow to place this group in the Selected Members box.

      IsCustomers maps to the users in both directories associated with the clothing store.

   3. Click Submit.

You have now created an application called Online Catalog.

Designate the Resource Requiring Protection

For this use case, you want to protect the checkout process so that users who exceed their credit limit cannot complete the transaction. Therefore, you need to add a resource to the Online Catalog application you just created.

To protect the specific resource of the web-based shopping application

1. Click Policies, Application.
2. Click Applications.

   The Applications page appears.

3. Specify search criteria and click Search.

   The Applications matching the criteria appear.

4. Click the name of the application you want to modify. For this use case, click Online Catalog.

   The View Application page appears.

5. Scroll down the page and click Modify.

   The settings and controls become active.

6. Select the Resources tab.
7. Click Create.

   The Create Resource page appears.

8. Enter values for the following fields. For this use case, enter the following:

   Name

   Checkout

   Description

   Lets you total your purchases and pay for them.

9. Enter values for the following fields in Attributes. For this use case, enter the following:

   Resource

   total_charges.jsp

10. Select Web Agent actions in Action and select the actions Get and Post.
11. Click OK.

You have created a resource called Checkout.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

Configure the Customer Role

After the web portal resource is defined, create an application role that lets customers make web-based purchases as long as they have not exceeded their credit limit.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create this credit-based role

1. Click the Roles tab.
2. Click Create Role.

   The Create Role dialog appears.

3. Verify that the Create option is selected, and click OK.

   The Create Role dialog opens.

4. Enter values for the fields in the General group box. For this use case, enter the following:

   Name

   PurchasewithCredit

   Description

   Indicates that the customer uses credit to pay for their purchases.

   Role applies to

   Selected users

5. Enter an expression in the Advanced Expression group box. For this use case, enter the following:

   User Expression

   @IsUnderCreditLimit

   The role expression is the product of the two virtual user attribute expressions #Balance and #CreditLimit, which calculate whether the user has exceeded their credit limit.

6. Click OK.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

You have created a role named PurchasewithCredit, whose value is the combination of two named expressions.

Customize the Application with a Response

To provide a more personalized experience for the customer, the retail clothing company can configure a response that lets customers who are over their credit limit apply for increased credit. If a customer has exceeded their credit limit, this response will redirect them to a credit application where they can apply for a higher credit limit.

To create a response

1. Click on the Response tab.
2. Click Create Response.

   The Create Response dialog opens.

3. Complete the field as follows:

   Name

   CreditNotice

   Description

   Alerts users they have exceeded credit limit.

4. Click Create Response Attribute.

   The Create Response Attribute dialog opens.

5. Complete the fields and settings as follows:

   Attribute

   WebAgent-OnReject-Redirect

   Attribute Kind

   Static

   Attribute Fields—Variable Value

   http://catalog.retailcorp.com/credit_notice.jsp

   Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.

6. Keep the defaults for all the other fields.
7. Click OK.

The response named CreditNotice has been created and will be sent to customers who exceed their credit limit.

Configure the Security Policy for the Shopping Application

After you have defined the resource, role, and response, configure the policy that secures the Web-based shopping application.

Follow these steps:

1. Click the Policies tab.

   The Policies dialog opens and displays a table listing the Checkout resource and the PurchaseWithCredit role displayed.

2. Select the PurchaseWithCredit role for the Checkout resource.

   This pairing establishes a policy that lets all customers make a purchase with the store's credit card, if they have not exceeded their credit limit. Additionally, by checking the role the Responses grid becomes populated.

3. Select the CreditNotice response for the Checkout resource.

You now have a security policies for the online catalog application based on roles that define a spending limit. Additionally, a response is associated with the policy and will be sent to those customers who continue to make purchases after exceeding their limit.

Provide Metadata to Describe the Application

The retail clothing company wants to ensure that there is some descriptive information about the online catalog application. Custom attributes can be used to provide metadata that describes the application.

The retail clothing company wants to note that the application is only for the online catalog and the email address of the administrator of this application.

To specify metadata for the online catalog application:

1. Click the Custom Attributes tab.

   The Custom Attributes dialog opens.

2. Click Create.

   A table appears with Name and Value fields.

3. Enter values for the fields in the custom attributes table. For this use case, enter the following:

   Name

   App_Function

   Value

   online_retail

4. Click Create to add another row to the table then enter the following:

   Name

   Admin_email

   Value

   jdoe@retailcorp.com

5. Click Submit.

You have completed all the available tasks related to creating an application security policy.

Application Security Policy Based on CA DataMinder Content Classifications

In this use case, a financial services company, Forward Inc., has deployed Microsoft SharePoint. The company wants to:

• Give all employees access to SharePoint.
• Restrict access to documents that contain employee compensation information. Only employees in human resources can access documents that contain compensation information.

Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.

The following details how to configure an application with CA DataMinder content classifications to create a security policy that protects employee compensation information.

Given:

• The CA SiteMinder® environment contains one LDAP user directory. The name of the directory is ForwardLDAP.
• The user directory identifies all employees, including employees who work in human resources. The user directory identifies the human resources employees as follows:

  cn=human resources,o=forwardinc.com
  

• All employees must authenticate with the Basic authentication scheme.
• A single SharePoint site is deployed:
  • The root URL of the SharePoint site is:

    usecase.forwardinc.com/SitePages/Home.aspx
    

  • The URL of the shared documents directory is:

    usecase.forwardinc.com/Shared Documents
    

Solution:

1. Protect the shared documents directory.
2. Protect all document resources.
3. Create the human resources role.
4. Establish a policy that is based on the human resources role.

Protect the Shared Documents Directory

For this use case, the highest point in the SharePoint environment that you want to protect is the shared documents directory. You leave the SharePoint site (usecase.forwardinc.com/SitePages/Home.aspx) unprotected to be sure that all employees have access.

Follow these steps:

1. Click Policies, Application.
2. Click Applications.
3. Click Create Application.
4. Select the Use DLP Server option.
5. Enter the required values for the General section. For this use case, the following data is specified:

   Name

   SharePoint Site

6. Enter the required values in the Component section. For this use case, the following data is specified:

   Component Name

   Shared Documents

   Agent

   SharePoint

   Resource Filter

   /usecase.forwardinc.com/Shared Documents

7. In the User Directories section, click Add/Remove to list all user directories available to the application policy.
8. Select a user directory and click OK. For this use case, the following user directory is specified:

   ForwardLDAP

9. In the DLP Classifications section, remove any content classifications that you do not want to add to the component. For this use case, do not remove any classifications.
10. Click Submit to save the application.

Protect All Document Resources

For this use case, you want to protect all documents in the Shared Documents directory. You protect all document resources by adding a resource to the application.

Follow these steps:

1. Click Policies, Application.
2. Click Applications.
3. Specify search criteria and click Search.
4. Identify the application you want to modify and click the modify icon. For this use case, modify the following application:

   SharePoint Site.

5. Select the Resources tab and click Create.
6. Enter values for the following fields. For this use case, enter the following:

   Name

   All Documents

   Resource

   /*

7. Select the type of event and action that must take place for the rule to fire. For this use case, select the following:
   • Web Agent actions
   • Connect
   • Delete
   • Get
   • Head
   • Options
   • Post
   • Put
   • Trace
8. Click OK to save the resource.
9. Click Submit to add the resource to the component.

Create the Human Resources Role

For this use case, you want to create a role that that only lets human resources employees access to documents that contain compensation information.

Follow these steps:

1. Click Policies, Application.
2. Click Applications.
3. Specify search criteria and click Search.
4. Identify the application you want to modify and click the modify icon. For this use case, modify the following application:

   SharePoint Site.

5. Select the Roles tab and click Create Role.
6. Select the following option:

   Create a new object of type role

7. Click OK.
8. Enter values in the General section. For this use case, enter the following:

   Name

   Human Resources

   Description

   A role that has access documents that contain employee compensation information.

9. Specify if the role is to apply to all or specific users in the available directories. For this use case, select the following option:

   Selected Users

10. Define the role members in the Users Setup section. For this use case, select the following organization in the Member Groups section:

    cn=human resources,o=forwardinc.com

11. Add content classifications to the role in the DLP Classifications section. For this use case, select the following:
    • US Employee Compensation Information
    • UK Employee Compensation Information
12. Click OK to save the role.
13. Click Submit to add the role to the application.

Establish a Policy Based on the Human Resource Role

For this use case, you want to create a policy that protects documents that contain employee compensation information.

Follow these steps:

1. Click Policies, Application.
2. Click Applications.
3. Specify search criteria and click Search.
4. Identify the application that you want to modify and click the modify icon. For this use case, modify the following application:

   SharePoint Site.

5. Select the Policies tab.
6. Select the Human Resources role for the All Documents resource.
7. Click Submit.

   A policy that only lets human resources employees access SharePoint documents that contain employee compensation information is created.