Previous Topic: Configure a Rule for Authorization Event ActionsNext Topic: Rule Groups

Policy Server GuidesPolicy Server Configuration GuideRulesConfigure a Rule for Impersonation Event Actions

Configure a Rule for Impersonation Event Actions

You configure a rule for impersonation events to start impersonation sessions when resources are accessed.

To create a rule

  1. Click Policies, Domains.
  2. Click Rule, Create Rule.

    The Create Rule: Select Domain pane opens.

  3. Select a domain from the Domain list, and click Next.

    The Create Rule: Select Realm pane opens.

  4. Select the realm that includes the resources that you want the rule to protect, and click Next.

    The Create Rule: Define Rule pane opens.

    Note: If a realm does not exist for the resources that you want to protect, a rule cannot be created to protect those resources.

  5. Type the name and a description of the rule in the fields on the General group box.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  6. Type the resource the rule is to protect in the Resource field.

    The Effective Resource updates to include the resource.

  7. Select the Impersonation events radio button in the Action group box.

    The Action List populates with impersonation events.

    Note: The Allow Access and Deny Access options are disabled. These options do not apply to impersonation events.

  8. Select one or more impersonation events from the Action List.
  9. (Optional) Set time restrictions and/or an active rule in the Advanced group box.
  10. Click Finish.

    The rule is saved and applied to the specified realm and resource.

More information:

Impersonation

Regular Expressions for Resource Matching

Impersonation Realms and Events

Advanced Rule Options

Resource Matching and Regular Expressions

Rules may use resource matching and regular expression matching to specify resources in a realm.

Standard Resource Matching

By default, resource matching for a rule is done with wildcards.

The following table describes the characters that are supported for resource matching.

Character

Use

*

The wildcard (*) is used to match all characters in the string. The expression *.html will match all files with a .html file extension, such as index.html, out.html, and so forth.

?

The question mark (?) will match a single character of the string. The expression lmn?p will match the sub-string lmnop, lmnep, and so forth.

Regular Expressions for Resource Matching

Regular expressions allow for greater flexibility in resource matching. To enable regular expression matching, in the SiteMinder Rule dialog, select the Regular Expression check box.

Regular expressions are text patterns used for string matching. Examples of the syntax used in regular expressions are shown in the following table:

Characters

Results

\

Used to quote a meta-character (like ’*’)

\\

Matches a single ’\’ character

(A)

Groups subexpressions (affects order of pattern evaluation)

[abc]

Simple character class (any character within brackets matches the target character)

[a-zA-Z]

Character class with ranges (any character range within the brackets matches the target character)

[^abc]

Negated character class

.

Matches any character other than newline

^

Matches only at the beginning of a line

$

Matches only at the end of a line

A*

Matches A 0 or more times (greedy)

A+

Matches A 1 or more times (greedy)

A?

Matches A 1 or 0 times (greedy)

A{n}

Matches A exactly n times (greedy)

A{n,}

Matches A at least n times (greedy)

A{n,m}

Matches A at least n but not more than m times (greedy)

A*?

Matches A 0 or more times (reluctant)

A+?

Matches A 1 or more times (reluctant)

A??

Matches A 0 or 1 times (reluctant)

AB

Matches A followed by B

A|B

Matches either A or B

\1

Backreference to 1st parenthesized subexpression

\n

Backreference to nth parenthesized subexpression

Limit: Each regular expression can contain no more than 10 subexpressions, including the expression itself. The number of subexpressions equals the number of left or opening parentheses in the regular expression plus one more left parenthesis for the expression itself.

Enable and Disable Rules

You enable a rule to ensure SiteMinder protects the specified resources. You disable a rule to prevent SiteMinder from protecting the specified resources.

If a rule is enabled, no one may access the protected resource(s) unless a policy that contains the rule has been created, and the user attempting to access the rule is part of a group specified in the policy. To allow access to resources before a policy is put into place, you can disable the rule.

To enable or disable a rule

  1. Open the rule.
  2. Select the Enabled check box to enable the rule; clear the Enabled check box to disable the rule.
  3. Click Submit.

    The rule is saved.

Advanced Rule Options

The Advanced group box on the Rule pane is where you define additional rule settings. This group box lets you set time restrictions and active rules. Time restrictions and active rules are discussed in the following sections.

Add Time Restrictions to Rules

You configure time restrictions to specify when SiteMinder should fire the rule.

Configuring a time restriction from 9am - 5 pm, Monday - Friday, for example, specifies that SiteMinder should only fire the rule during the specified time. Users have access to the resource when the rule is set to fire. The resource is not available outside of the specified time.

Note: More information about how SiteMinder handles time across multiple time zones exists in How the Web Agent and Policy Server Calculate Time.

To configure a time restriction

  1. Click Set in the Time Restrictions group box.

    The Time Restrictions pane appears.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  2. Specify starting and expiration dates.
  3. Specify time restrictions in the Hourly Restrictions table.

    Note: Each check box represents one hour. When a check box is selected, the rule fires during that hour, and the rule applies to the specified resources. When a check box is cleared, the rule does not fire during that hour, and the rule will not apply to the specified resources.

  4. Click OK.

    The time restrictions are saved, and the rule settings appear.

Configure an Active Rule

You configure an active rule for dynamic authorization based on external business logic. The Policy Server invokes a function in a customer-supplied shared library. This shared library must conform to the interface specified by the Authorization API, which is available in the Software Development Kit.

Note: For more information about shared libraries, see the Programming Guide for C.

To configure an Active Rule

  1. Specify the library name, function name, and function parameters in the fields on the Active Rule group box.

    The active rule string is displayed in the Active Rule field.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  2. Click Submit.

    The active rule is saved.

Delete a Rule

If you delete a rule, the rule is automatically removed from the policies that included the rule. However, the policies remain on your system. Verify that the policies function without the deleted rule.

Note: Policies must contain at least one rule.

When you delete a rule that is included in a rule group, it may take several seconds before the deleted rule is removed from the rule group. It may also take a short amount of time for all deleted objects to be removed from caches.

Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.