Previous Topic: Strong AuthenticationNext Topic: Configure a Policy Domain


Domains

This section contains the following topics:

Policy Domain Overview

Domains and User Membership

How to Configure a Policy Domain

Disable Global Policy Processing for a Domain

Affiliate Domains

Modify a Domain

Delete a Domain

Policy Domain Overview

A policy domain is a logical grouping of resources associated with one or more user directories. In addition, policy domains require one or more administrator accounts that can make changes to the objects within the policy domain. Policy domains contain realms, rules, responses, and policies (and optionally, rule groups and response groups). An administrator with the appropriate privileges assigns a policy domain to one or more administrators. For information about administrator privileges, see Policy Server Administrators.

The resources in a policy domain can be grouped in one or more realms. A realm is a set of resources with a common security (authentication) requirement. Access to resources is controlled by rules, which are associated with the realm that contains the resource. The following diagram illustrates a small policy domain which contains realms and their associated rules, as well as a rule group, response group, and a pair of responses.

Graphic showing an example of a domain and the related SiteMinder objects

By grouping realms and rules in a policy domain, you can provide organizations with a secure domain for their resources. In the policies section, you learn how to create policies within a policy domain to control access to the policy domain’s resources.

In the sample diagram below, a Marketing policy administrator who is specified in the Marketing policy domain can manage the Marketing Strategy and Marketing Projects realms. The policy domain ensures that the Engineering administrator, who does not have administrative privileges to manage the Marketing policy domain, cannot control resources belonging to the Marketing department. However, the Marketing policy domain is associated with a user directory that contains engineering users.

If the administrator for the Marketing department creates a policy within the Marketing policy domain that allows Engineering staff to access the resource Project 2.html, engineering users may access the resource.

Graphic showing an example of users and administrators access domains

More information:

Policies

Domains and User Membership

Besides acting as a container for domain objects, policy domains also connect to user directories. The Policy Server authenticates users based on the requirements of the realm in which the target resource resides. In order to authenticate a user, the Policy Server must find the user directory where a user is defined. The Policy Server does this by locating the policy domain to which a realm belongs. From the policy domain, the Policy Server queries the user directories specified in the policy domain’s search order.

The search order is defined when you add user directory connections to a policy domain. The order in which you add directory connections determines the order that the Policy Server uses to search for a user. For example, if you set up policy domain for a company migrating user data from a WinNT directory to an LDAP directory, and you want the Policy Server to search in the new LDAP directory first, then look in the WinNT user directory, add the LDAP directory connection to the policy domain first, then add the WinNT user directory connection.

How to Configure a Policy Domain

You configure a domain to create a logical grouping of resources with one or more user directories. Configuring a domain requires you to:

Note: You can edit a policy domain’s properties if you need to add a realm in the future.

The following process lists the steps for configuring a new policy domain:

  1. Configure the Policy Domain
  2. Assign User Directories
  3. Create a Realm

More information:

Realms