Agent for SharePoint Guide › Configure Your CA SiteMinder® Policy Server › Configure your Policy Server › Determine your policy model

Determine your policy model

CA SiteMinder® supports the following policy models:

• Policy Domain (for protecting resources without CA DataMinder)
• Application (EPM) (for protecting resources with CA DataMinder)

For example, you can protect the SharePoint root site with a policy domain. If you have document libraries that you want to protect with CA DataMinder, create applications for those libraries. In this situation, use the same agent or agent group in both the policy domain and the application.

Create a Policy Domain

A policy domain is a logical grouping of resources associated with one or more user directories. Policy domains contain realms, rules, responses, and policies (and optionally, rule groups and response groups).

The resources in a policy domain can be grouped in one or more realms. Rules control access to resources, that are associated with the realm that contains the resource. By grouping realms and rules in a policy domain, you can provide a secure domain for your resources.

For example, on a SharePoint site, some resources require a higher level of security than other resources. Define a realm with a higher level of security than uses an authentication scheme such as a certificate-based scheme. Use a realm with basic authentication for the less sensitive resources. For example, a common set of users wants to access both types of resources. You can group both realms in the same policy domain.

Follow these steps:

1. Click Policies, Domains.
2. Click Domain, Create Domain.

   The Create Domain pane opens.

3. Type the name and a description of the policy domain.
4. Add User Directories and Realms.
5. Click Submit.

   The Create Domain Task is submitted for processing.

Assign User Directories

Add your user directories to a policy domain. The Policy Server authenticates users by comparing the credentials to the credentials that are stored in the user directories.

Follow these steps:

1. Under User Directories, click Add/Remove.

   The Choose user directories pane opens.

2. Select a user directory from the list of Available Members, and click the right-facing arrows.

   The user directory is removed from the list of Available Members and added to the list of Selected Members.

3. Click OK.

   The selected user directory is added to the domain.

Configure Realms

Realms are groupings of resources in a specific location on your network. CA SiteMinder® <agents> protect the resources in a realm. When users request resources within a realm, the associated Agent for SharePoint authenticates the user. The realm uses the authentication scheme you configured. The SharePoint server authorizes the user.

Because most SharePoint resources are URL-based, define the URLs of your SharePoint resources that you want to protect. Use the following examples as guides:

• http://intranet.example.com
• http://intranet.example.com/finance
• http://intranet.example.com/investors

Follow these steps:

1. Click Policies, Domains.
2. Click Realm, Create Realm.

   The Create Realm: Select Domain pane appears.

3. Select the domain you created for your SharePoint resources from the Domain list, and then click Next.

   The Create Realm: Define Realm pane appears.

4. Complete the name and description fields.
5. Click the ellipsis option button.

   The Select an Agent screen appears.

6. Click the option button next to the Agent object you created for your SharePoint resources, and then click OK.

   Important: Do not add the 4.x agent object to any agent group, realm, or policy. This agent object exists only to support the internal operations of the CA SiteMinder® Agent for SharePoint.

7. Click the Resource filter field, and then enter the URL of a SharePoint resource that you want to protect. The realms meet the minimum requirements to enable basic authentication:
   • Create a realm to protect the authentication URL:

     /affwebservices/redirectjsp/redirect.jsp
     

   • Create a realm to leave the ClaimsWS unprotected:

     /ClaimsWS/services/WSSharePointClaimsServiceImpl
     

   Note: We recommend protecting only URLs on SharePoint systems, not lists, or specific documents.

8. Under rules, create new rules or delete existing rules.
9. Under Sub realms, create new sub realms or delete existing sub realms.
10. Under Session, specify the session properties.
11. Under Advanced, specify the following:
    • Registration schemes.
    • Authorization directory mappings.
    • Types of events you want the realm to process.
12. Click Finish.

    The Create Realm Task is submitted for processing.

Create a Rule for Web Agent Actions

You can create a rule that fires in response to specified Web agent actions. The rule allows or denies access to the resource it is protecting.

To create a rule

1. Click Policies, Domains.
2. Click Rule, Create Rule.

   The Create Rule: Select Domain pane opens.

3. Select a domain from the Domain list, and click Next.

   The Create Rule: Select Realm pane opens.

4. Select the realm that includes the resources that you want the rule to protect, and click Next.

   The Create Rule: Define Rule pane opens.

   Note: If a realm does not exist for the resources that you want to protect, a rule cannot be created to protect those resources.

5. Type the name and a description of the rule in the fields on the General group box.
6. Type the resource that you want the rule to protect in the Resource field.

   The Effective Resource updates to include the resource.

7. Specify whether the rules allow or deny access to the protected resource in the Allow/Deny and Enable/Disable sections.
8. Select the Web agent actions option button in the Action section.

   The Action List is populated with HTTP actions.

9. Select one or more HTTP actions from the Action list.
10. (Optional) Specify time restrictions, an active rule, or both in the Advanced section.
11. Click Finish.

    The Create Rule task is submitted for processing.

Create a Policy

You can create a policy by adding it to a new or existing domain. Policies define relationships between users and resources.

Follow these steps:

1. Click the Policies, Domains.
2. Click Domain, Modify Domain.

   The Modify Domain pane opens.

3. Specify search criteria, and click Search.

   A list of domains that match the search criteria opens.

4. Select a domain, and click Select.

   The Modify Domain: Name pane opens.

5. Click the Policies tab on the Domain pane.

   The Policies dialog opens.

6. Click Create.

   The Create Policy: Name pane opens.

7. Type the name and a description of the policy.
8. Click the Users tab.

   The User Directories dialog opens.

9. Add users, user groups, or both to the policy, and click OK.

   The Modify Domain: Name pane reopens.

10. Click Submit.

    The Modify Domain Task is submitted for processing.

Add Users to a Policy

You can add individual users, user groups, or both to a policy and can create a policy binding between the added users and the policy. When a user tries to access a protected resource, the policy verifies that the user is part of its policy binding. Then the policy fires the rules included in the policy to see if the user is allowed to access the resource.

Follow these steps:

1. Click Policies, Domains.

   The Domain pane appears.

2. Click Policy, Modify Policy.

   The Modify Policy page appears.

3. Select the policy to change from the search results and click Select.

   The Modify Policy:Name page appears.

4. Click the Users tab on the Policy pane.

   The User Directories pane opens and contains group boxes for each user directory that is associated with the policy domain.

5. Add users or groups from the user directory to the policy.

   In each user directory section, you can select Add Members, Add Entry, Add All. Depending on which method you use to add users to the policy, a dialog opens to let you add users.

   Note: If you select Add Members, the User/Groups pane opens. Individual users are not displayed automatically. Use the search utility to find a specific user within one of the directories.

   You can edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.

6. Select individual users, user groups, or both using whatever method and click OK.

   The User Directories pane reopens and lists the new users for the policy on the section of the user directory. The task of binding users to the policy is complete.

Add Rules to a Policy

Rules indicate the specific resources included in a policy and whether to allow or deny access to the resources when the rule fires. Responses indicate the actions you want to occur when the rule fires.

Note: Add at least one rule or rule group to a policy.

Follow these steps:

1. Navigate to Policy, Rules.

   The Rules page opens.

2. Click Add Rule.

   The Available Rules pane opens.

3. Select the individual rules, rule groups, or both that you want to add to the policy, and click OK.

   The Rules section lists the added rules and groups.

4. (Optional) Associate the rule with a response or response group.

   Note: To remove a rule or rule group from a policy, click the minus sign (-) to the right of the rule on the Rules section. To create a rule, click New Rule on the Available Rules pane.

Create a CA SiteMinder® Application to Protect SharePoint Resources that CA DataMinder also Protects

CA SiteMinder® applications protect resources by combining access privileges with specific conditions. Users who have the privileges and meet the conditions are granted access to the resources they request.

This section describes creating an application with the following components:

• A resource filter to protect the authentication URL.
• A resource filter to leave the claims web service (ClaimsWS) unprotected by CA SiteMinder®.
• A connection to the user directory that contains your SharePoint users.

These components meet the minimum requirements of the CA SiteMinder® Agent for SharePoint. We recommend creating few applications and components during evaluation, testing, or initial-deployment environments. You can add more applications and components at any time.

Note: Resources protected with CA DataMinder require applications. Do not use policy domains.

Follow these steps:

1. Click Policies, Applications.

   The applications screen appears.

2. Click Create Application.

   The Create Application: screen appears, with the General tab selected.

3. Enter a distinctive name and optional description.
4. Create the component for the authentication URL by doing the following steps:
   1. Click the Component Name field, and type a distinctive name describing the SharePoint resources that you want to protect, such as, "Protected SharePoint Resources."
   2. Verify that Web Agent appears in the Agent Type drop-down list.
   3. Click Lookup Agent/Agent Group.

      The Select Agent or Agent Group screen appears.

   4. Click the option button that corresponds to your Agent Object, and then click OK.

      Important: Do not add the 4.x agent object to any agent group, application, or component. This agent object exists only to support the internal operations of the Agent for SharePoint.

   5. Click the Resource Filter field, and then enter the following value:

      affwebservices/redirectjsp/redirect.jsp
      

      Verify that the field begins with one forward slash as shown in the following example:

      /affwebservices/redirectjsp/redirect.jsp
      

   6. Click the Authentication Scheme drop-down list, and then select the authentication scheme that you want.
   7. Click OK.
5. Create the component for the ClaimsWS by doing the following steps:
   1. Click Create Component.

      The Create Component screen appears, with the cursor in the Component Name field.

   2. Type a distinctive name describing the SharePoint resources that you want to protect, such as, "Claims Web Service."
   3. Verify that Web Agent appears in the Agent Type drop-down list.
   4. Click Lookup Agent/Agent Group.

      The Select Agent or Agent Group screen appears.

   5. Click the option button that corresponds to your Agent Object, and then click OK.

      Important: Do not add the 4.x agent object to any agent group, application, or component. This agent object exists only to support the internal operations of the CA SiteMinder® Agent for SharePoint.

   6. Click the Resource Filter field, and then enter the following value:

      ClaimsWS/services/WSSharePointClaimsServiceImpl
      

   7. Verify that the field begins with one forward slash as shown in the following example:

      /ClaimsWS/services/WSSharePointClaimsServiceImpl
      

   8. Click the Unprotected option button.
   9. Click OK.
6. Add your user directory connection by doing the following steps:
   1. Click Add/Remove.

      The Choose user directories screen appears.

   2. Under the Available Members, click the directory connections that you want, and then click the arrow icon between the lists.

      Your directory connections move to the Selected Members list.

   3. Click OK.

      The Choose user directories screen closes, and the Create Application: screen appears.

   Note: The components in Steps 5 and 6 are the basic components the CA SiteMinder® Agent for SharePoint requires to operate. For testing or production environments, create components for the other SharePoint URLs resources you want to protect. Possible examples of components include the following items:

   • http://intranet.example.com
   • http://intranet.example.com/finance
   • http://intranet.example.com/investors
7. Click Submit.

   The application is created and a confirmation message appears.

Add Resources to your Application

CA SiteMinder® applications use resources to protect items in your SharePoint environment. These resources for CA SiteMinder® applications consist of the following parts:

• Rules.
• Authentication or authorization actions which occur when a rule fires.

Note: In the previous context, "resources" refers only to the rules and actions that are associated with CA SiteMinder® applications. Generally, resources indicate the protected items on a SharePoint server, such as URLs.

Follow these steps:

1. Click Policies, Applications.

   The applications screen appears, showing a list of applications.

2. Locate the application that you created to protect your SharePoint sites, and then click the Edit icon.

   The Modify Application: screen appears.

3. Click the Resources tab.

   The Resources screen appears.

4. Click the Select a context root drop-down list, and then select the resource filter that you previously created for your SharePoint authorization URL. See the following example:

   /affwebservices/redirectjsp/redirect.jsp
   

5. Click Create.

   The General screen appears.

6. Enter a distinctive name, and an optional description.
7. Verify that the Web Agent actions option button is selected, and then Ctrl-click the following items in the Action list:
   • Get
   • Head
   • Options
   • Post
   • Put
8. Click OK.

   The General screen closes and the Resources screen appears.

9. Click Submit.

   The application resources are created and a confirmation message appears.

Add Roles to your Application

CA SiteMinder® applications use roles to define the users or groups or organizations to which you wish to grant access to your SharePoint resources.

Follow these steps:

1. Click Policies, Applications.

   The applications screen appears, showing a list of applications.

2. Locate the application that you created to protect your SharePoint sites, and then click the Edit icon.

   The Modify Application: screen appears.

3. Click the Roles tab.

   The Roles screen appears.

4. Click Create Role.
5. Verify that the Create a new object of type Role option button is selected, and then click OK.

   The Create Role: screen appears.

6. Enter a distinctive name and optional description.
7. Create any of the following roles:
   • Roles that are based on membership in a group (member groups).
   • Roles that are based on membership in an organization (member organizations).
   • Roles that are based on user attributes (Member attributes, such as users who match a particular attribute in your user directory).
8. Click OK.

   The Create Role: screen closes, and the Modify Application: screen appears.

9. Click Submit.

   The Role is created and a confirmation message appears.

Add a Policy to your Application

Polices combine application resources and roles to protect your SharePoint environment.

Follow these steps:

1. Click Policies, Applications.

   The applications screen appears, showing a list of applications.

2. Locate the application that you created to protect your SharePoint sites, and then click the Edit icon.

   The Modify Application: screen appears.

3. Click the Policies tab.

   The Policies screen appears.

4. Click the Select a context root drop-down list, and then select the resource filter that you previously created for your SharePoint authorization URL. See the following example:

   /affwebservices/redirectjsp/redirect.jsp
   

5. Click the check boxes of the roles that you want to associate with your rules for the resource from Step 4.
6. Click the check boxes of the responses that you want to associate with your rules for the resource from Step 4.
7. Click Submit.

   The Policies screen closes. The Modify Application screen appears with a confirmation message.