|
|
|
Policies define how users interact with resources. When you create policies in the Administrative UI, you link together (bind) objects that identify users, resources, and actions associated with the resources.
Policies are stored in policy domains. When you configure a policy, you can select users and groups from the user directories available in the policy domain.
SiteMinder identifies resources through rules. When you create a policy, you can select rules that specify the resources you want to include in a policy.
Once you identify users and resources in a policy, you can specify actions that should take place when those users access the specified resources. These actions take the form of responses. Policies can include responses that allow or deny access to a resource, customize a user's session time, redirect the user to other resources, or customize the content the user receives based on attributes contained in a user directory.
The following diagram illustrates all of the possible parts of a policy. These parts are described briefly following the diagram, and in more detail throughout the rest of this chapter.
A policy must contain at least one rule or rule group. A rule identifies a specific resource or resources that are included in the policy.
A policy must specify the users or groups of users that are affected by the policy. Connections to these users or groups of users must be configured on the SiteMinder User Directory pane. Only users or user groups for directories that are included in the policy domain in which the policy is located may be associated with a policy.
A response defines the action that is triggered when a user accesses a resource specified in a rule. Responses can return attributes from a user directory for use by other applications or to the customize the appearance of a resource. Responses can also trigger actions based on authentication and authorization events.
A policy may be limited to specific user IP addresses. Once you add an IP address restriction to a policy, if a user attempts to access a resource from an IP address not specified in the policy, the policy will not fire for the user, and therefore will not allow/deny access or process any responses.
A policy may be limited to specific days or ranges of hours. A policy with a time restriction will not fire outside specified times, and therefore will not allow/deny access to protected resources or process any responses.
An Active policy allows business logic external to SiteMinder to be included in a policy definition. Active policies allow SiteMinder to interact with custom software created using the SiteMinder APIs.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |