Standard SiteMinder policies are created in the context of a single policy domain. However, large production environments may contain thousands of domains. In this type of environment it can be useful to define types of behavior (represented by policies) that are common for many domains. Using standard policies, the same policy must be recreated for each domain that requires the same behavior. Global policies allow you to configure policies (and their associated rules and responses) as system level objects, that are applied across all domains.
The following terms are used for discussing global policies:
An access rule allows or denies access to a resource. Global policies do not include access rules. Only event rules may be added to global policies.
An event rule is invoked when an authentication or authorization event occurs. Behaviors that are commonly implemented across all domains are associated with event rules, and may be included in global policies.
A policy which is defined as a system object.
A rule which is defined as a system object.
A response which is defined as a system object.
A logical entity used for policy definition. It consists of a rule- response pair. A policy may contain one or more policy links.
The following sections discuss the characteristics of global policy objects, outlining the basic similarities and differences when compared to their standard (nonglobal) counterparts.
Differences:
Similarities:
Differences:
Differences:
Note: Individual domains can be explicitly enabled or disabled for global policy processing.
Similarities:
When the global policy is processing, the responses that are defined for the fired global rules are added to the list of other responses. A global rule fires when the following conditions are true:
Important! The standard policy takes precedence over the global policy if Global policies processing is enabled for the domain and both standard rule and global rule are bound to the same agent or agent group.
SiteMinder uses a policy-based access control model. A SiteMinder policy defines the type of access a user has to a particular resource and what happens when the user accesses the resource. Each standard SiteMinder policy is a linkage between a set of users and a set of resources, and is designed to protect resources by binding together users, rules and responses. Every policy must specify the users or groups of users to which the policy applies. Users can be either included or excluded from the policy.
In addition, a standard policy must contain at least one rule or rule group. Rules are the parts of a policy that determine precisely which resources are protected and what type of action should cause a rule to fire. A rule identifies a resource or resources that are included in the policy using a combination of a string-based resource filter and action. The filter in turn consists of realm filter and rule filter. For information about realms, rules, and responses in standard SiteMinder policies, see the following:
SiteMinder objects can be of two types: system level and domain level. In a standard (non-global) SiteMinder policy, all policy objects must be created in the context of a specific domain. However, global policies are system level policies that may be applied across all domains in a SiteMinder deployment. An administrator with system level privileges can define global policies, that include global rules and global responses. These global policies may be applied to any resource in any domain.
Global objects are similar to their standard, domain-specific counterparts. The roles of global objects in a global policy definition are different from domain-specific policy objects in the way they are created and linked to form policies. However, there are no global domain or global realm objects.
Policies are evaluated as described in Policy Processing. In addition, any global rules contained in global policies will fire if the following conditions are met:
Whenever an authentication or an authorization event happens the responses defined for the fired global rules are added to the list of other responses.
Copyright © 2012 CA.
All rights reserved.
|
|