In order to implement impersonation in an enterprise, a number of Policy Server objects must be configured. The combination of objects provides the authentication and policy entitlements that are required to enable one user to impersonate another. The following objects are required for impersonation:
Impersonation requires a Web Agent and its associated Policy Server Agent object.
Note: To implement impersonation, you must have at least one CA SiteMinder® Web Agent installed in your deployment. More information on installing a Web Agent exists in the Web Agent Installation Guide.
Impersonation requires an authentication scheme object based on the Impersonation Template.
Impersonation requires one or more user directory objects that point to user stores which contain impersonators and impersonatees. The two populations of users should be distinguishable due to an attribute value or group membership.
Impersonation requires a policy domain object that includes the user directory object(s) mentioned in the previous bullet.
Impersonation requires a minimum of two configured realm objects. One realm contains the resources accessible by the impersonatees. The other realm is the impersonation realm, and contains the resources and rules required to initialize an impersonation session.
Impersonation requires access control rules to be in place. In addition, a rule with the ImpersonateStart event must exist for impersonators to begin an impersonation session. A rule with the ImpersonateStartUser event must exist in to allow a user to be impersonated.
Besides the policies that must be in place to protect a set of resources, impersonation requires additional policies to allow access to resources in the impersonation realm, to qualify users as impersonators, and to limit the set of impersonatees.
Copyright © 2013 CA.
All rights reserved.
|
|