Learn how to define application security policies using application objects by reviewing the following use cases:
In this use case, a software company, sample-software-company.com, has a web portal that provides information about the company and its products to the public.
Anyone can access the main home page and product information pages, such as promotional materials and white papers without restrictions. This area of the web portal does not require any security policy. Access to the software downloads area; however, is restricted to registered customers. Each customer is assigned a user name and password which is stored in an LDAP directory server.
The following use case shows how an application security policy protects the restricted software downloads area so that only registered customers have access.
Given:
Solution:
To solve this use case, use the following process:
An application security policy for a web portal must specify the top-level location of the resources that you want to protect, and a directory of users who are authorized to use the resources.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To identify the web portal and select the directory server
The Applications page appears.
The Create Application page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Sample Software Company Portal
Allows access to all parts of the portal except the downloads area.
Downloads
Web Agent
PortalAgent
/downloads
Note: A subcomponent can be created only after you save the main component.
The Choose User Directories page appears.
You return to the General tab.
The web portal application is identified and the directory selected.
After the location of the resources and the user directory have been specified, the individual resources in the subdirectories of the web portal that you want to protect must be specified.
To create the web portal resources
A list of resources appears.
The Create Application Resource pane opens.
Downloads Area
Software downloads restricted to registered customers
*
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
/downloads/*
This string specifies that all resources in the downloads directory are protected.
The web portal resource is created and appears in the resources list.
After the web portal resources have been specified, create a role for the registered customers of the web portal. A role associates resources with groups of users.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To create web portal roles
The Create Role pane opens.
Registered Customers
Registered customers permitted to access software downloads.
All Users
Note: The Users Setup and Advanced group boxes do not apply when this option is set and are no longer displayed.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The registered customers role is created.
After the resources and roles have been created, you must associate the resources of the web portal you want to protect with the roles of the users who will access the resources in the web portal. This creates the policies that protect your applications.
To create the policy to protect the web portal
By selecting this role, you indicate that only registered customers have access to the software downloads area of the web portal.
A confirmation screen appears. The application security policy for the web portal is created.
Displaying the List of Resources
You can sort how list of resources is displayed by clicking one of the following radio buttons:
Sorts resources according to the name you provided when you specified the resource.
Example: Software Downloads
Sorts resources according to the actual resource that is being protected.
Example: * (asterisk indicates all resources)
In this use case, a financial services company, acme-financial.com, has an internal human resources application that handles benefits and performance management. All employees should have access to the benefits portion of the application while only managers should be permitted access to the performance management portion.
The following procedures detail how you can use the EPM model together with application roles to create a security policy for the human resources application.
Given:
Solution for application security based on roles:
To solve this use case, you complete the following steps:
In this use case, you need to establish different access privileges for different parts of the human resources application. To do this, you must identify the directories underneath the main application and configure the appropriate access.
To protect the example human resources application
The Applications page appears.
The Create Application page appears.
HR Application
Identifies the internal human resources application
Benefits
Web Agent
hrportal agent
/benefits
Protected
Basic
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: A subcomponent can be created only after you save the main component.
The human resources application is now identified.
After specifying the sub-areas of the main application that you want to protect, you can then designate the specific resources within that subdirectory that you want to protect with an application policy.
For this use case, there are two resources to protect:
To specify the specific resources or functions of the main application
The Resource pane opens.
Benefits Management
Lets employees manage their benefits
managebenefits.jsp
Performance Appraisals
Lets a manager write an appraisal report and salary review for an employee
salaryincrease.jsp
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The resources associated with the performance management application are now defined.
After defining the specific components of an application that require protection, you specify roles that define the set of users who have access to a particular resource. Create a role for all employees.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To create a role
The Create Role pane appears.
Employees
All employees of Acme Financial Services
All Users
Note: The Users Setup and Advanced group boxes do not apply when this option is set and are no longer displayed.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
After defining the specific components of an application that require protection, specify roles that define the set of users who have access to a particular resource. Create a role for managers.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To create a role
The Create Role pane appears.
Managers
Managers at Acme Financial Services
Selected Users
cn=managers,ou=Groups,o=acme-financial.com
This entry specifies the managers group in the corporate user directory.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
To make the human resources application more user friendly for employees of Acme Financial Services, you can configure a response that provides the employees ID on their benefit records.
To create a response that provides the employee ID:
The Create Response dialog opens.
Employee ID
Lists the employee ID.
The Create Response Attribute dialog opens.
WebAgent-HTTP-Header-Variable
User Attribute
Personnel_Key
EmployeeID
Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.
The response named Employee ID has been created. When an employee views her benefits information, the data from this response is returned to the human resources application and her customer ID will be displayed in the benefits record.
After you have defined the resources and roles, you can group these objects into application security policies.
To create the application security policies
The Policies pane opens and displays a table listing the configured resources and roles. This table lets you quickly see which roles can be granted access to which resources.
You have created two security policies for the human resources application based on roles.
Note: If you need to edit resources or roles, you must make the changes on the respective tabs and not on the Policies pane.
Acme-financial.com wants to ensure that there is some descriptive information about the internal human resources application. Custom attributes can be used to define metadata that describes the application.
The information that Acme-financial wants for the purpose of the application and the date the application was completed.
Follow these steps:
The Custom Attributes dialog opens.
A table appears with Name and Value fields.
App_Completed
November_22_2007
Purpose
Human_Resource_Mgmt
In this use case, a retail clothing company wants to define a role preventing customers from making web-based credit purchases if they have exceeded their credit limit. The company policy dictates that customers have a $1,000 credit limit, while company employees have a $2,000 credit limit.
You can create an application security policy using attribute mapping, named expressions (virtual user attributes and user classes) and roles to satisfy the corporate credit policy.
Given:
group:cn=Customers,ou=Groups,o=acme.com
Solution:
The retail company maintains two directories. To create a universal schema that identifies customers in both user directories use attribute mappings, which you create in the Administrative UI.
To create attribute mappings for this use case
IsCustomer results in a common view of the same user information. You can reference IsCustomer in an expression to determine whether a user is a customer.
Review the section Define Attribute Mappings for detailed procedures on how to configure attribute mappings.
Named expressions enable CA SiteMinder® to calculate each users credit limit and account balances. An expression can also determine if customers are over their credit limit.
To define named expressions for this use case
IsCustomer?1000:2000
This calculation contains CA SiteMinder® supported expression syntax.
(MyLibrary.GetBalance(""))
This attribute definition is an active expression defined by the clothing retailer.
(#Balance > #CreditLimit)
Read Define Named Expressions for details on creating virtual user attributes and user class expressions.
In this use case, you want to establish access privileges with specific conditions for the store's Web-based shopping application.
To protect the web-based shopping application
The Applications page appears.
The Create Application page appears.
Online Catalog
Identifies the clothing stores Web-based shopping application
Catalog
Web Agent
Web Retail Agent
/webcatalog
Protected
Basic
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: A subcomponent can be created only after you save the main component.
IsCustomers maps to the users in both directories associated with the clothing store.
You have now created an application called Online Catalog.
For this use case, you want to protect the checkout process so that users who exceed their credit limit cannot complete the transaction. Therefore, you need to add a resource to the Online Catalog application you just created.
To protect the specific resource of the web-based shopping application
The Applications page appears.
The Applications matching the criteria appear.
The View Application page appears.
The settings and controls become active.
The Create Resource page appears.
Checkout
Lets you total your purchases and pay for them.
total_charges.jsp
You have created a resource called Checkout.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
After the web portal resource is defined, create an application role that lets customers make web-based purchases as long as they have not exceeded their credit limit.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To create this credit-based role
The Create Role dialog appears.
The Create Role dialog opens.
PurchasewithCredit
Indicates that the customer uses credit to pay for their purchases.
Selected users
@IsUnderCreditLimit
The role expression is the product of the two virtual user attribute expressions #Balance and #CreditLimit, which calculate whether the user has exceeded their credit limit.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
You have created a role named PurchasewithCredit, whose value is the combination of two named expressions.
To provide a more personalized experience for the customer, the retail clothing company can configure a response that lets customers who are over their credit limit apply for increased credit. If a customer has exceeded their credit limit, this response will redirect them to a credit application where they can apply for a higher credit limit.
To create a response
The Create Response dialog opens.
CreditNotice
Alerts users they have exceeded credit limit.
The Create Response Attribute dialog opens.
WebAgent-OnReject-Redirect
Static
http://catalog.retailcorp.com/credit_notice.jsp
Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.
The response named CreditNotice has been created and will be sent to customers who exceed their credit limit.
After you have defined the resource, role, and response, configure the policy that secures the Web-based shopping application.
Follow these steps:
The Policies dialog opens and displays a table listing the Checkout resource and the PurchaseWithCredit role displayed.
This pairing establishes a policy that lets all customers make a purchase with the store's credit card, if they have not exceeded their credit limit. Additionally, by checking the role the Responses grid becomes populated.
You now have a security policies for the online catalog application based on roles that define a spending limit. Additionally, a response is associated with the policy and will be sent to those customers who continue to make purchases after exceeding their limit.
The retail clothing company wants to ensure that there is some descriptive information about the online catalog application. Custom attributes can be used to provide metadata that describes the application.
The retail clothing company wants to note that the application is only for the online catalog and the email address of the administrator of this application.
To specify metadata for the online catalog application:
The Custom Attributes dialog opens.
A table appears with Name and Value fields.
App_Function
online_retail
Admin_email
jdoe@retailcorp.com
You have completed all the available tasks related to creating an application security policy.
In this use case, a financial services company, Forward Inc., has deployed Microsoft SharePoint. The company wants to:
Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.
The following details how to configure an application with CA DataMinder content classifications to create a security policy that protects employee compensation information.
Given:
cn=human resources,o=forwardinc.com
usecase.forwardinc.com/SitePages/Home.aspx
usecase.forwardinc.com/Shared Documents
Solution:
For this use case, the highest point in the SharePoint environment that you want to protect is the shared documents directory. You leave the SharePoint site (usecase.forwardinc.com/SitePages/Home.aspx) unprotected to be sure that all employees have access.
Follow these steps:
SharePoint Site
Shared Documents
SharePoint
/usecase.forwardinc.com/Shared Documents
ForwardLDAP
For this use case, you want to protect all documents in the Shared Documents directory. You protect all document resources by adding a resource to the application.
Follow these steps:
SharePoint Site.
All Documents
/*
For this use case, you want to create a role that that only lets human resources employees access to documents that contain compensation information.
Follow these steps:
SharePoint Site.
Create a new object of type role
Human Resources
A role that has access documents that contain employee compensation information.
Selected Users
cn=human resources,o=forwardinc.com
For this use case, you want to create a policy that protects documents that contain employee compensation information.
Follow these steps:
SharePoint Site.
A policy that only lets human resources employees access SharePoint documents that contain employee compensation information is created.
Copyright © 2013 CA.
All rights reserved.
|
|