Previous Topic: Impersonation Realms and EventsNext Topic: How an Impersonation Session is Initiated


Policy Server Objects for Impersonation

In order to implement impersonation in an enterprise, a number of Policy Server objects must be configured. The combination of objects provides the authentication and policy entitlements that are required to enable one user to impersonate another. The following objects are required for impersonation:

Infrastructure Objects:
Agent

Impersonation requires a Web Agent and its associated Policy Server Agent object.

Note: To implement impersonation, you must have at least one CA SiteMinder® Web Agent installed in your deployment. More information on installing a Web Agent exists in the Web Agent Installation Guide.

Authentication Scheme

Impersonation requires an authentication scheme object based on the Impersonation Template.

User Directory

Impersonation requires one or more user directory objects that point to user stores which contain impersonators and impersonatees. The two populations of users should be distinguishable due to an attribute value or group membership.

Domain

Impersonation requires a policy domain object that includes the user directory object(s) mentioned in the previous bullet.

Domain Objects:
Realms

Impersonation requires a minimum of two configured realm objects. One realm contains the resources accessible by the impersonatees. The other realm is the impersonation realm, and contains the resources and rules required to initialize an impersonation session.

Rules

Impersonation requires access control rules to be in place. In addition, a rule with the ImpersonateStart event must exist for impersonators to begin an impersonation session. A rule with the ImpersonateStartUser event must exist in to allow a user to be impersonated.

Policies

Besides the policies that must be in place to protect a set of resources, impersonation requires additional policies to allow access to resources in the impersonation realm, to qualify users as impersonators, and to limit the set of impersonatees.