Previous Topic: How to Configure a PolicyNext Topic: Add a Confidence Level to a Policy

Policy Server GuidesPolicy Server Configuration GuidePoliciesHow to Configure a PolicyCreate the Policy

Create the Policy

You can create a policy by adding it to a new or existing domain. Policies define relationships between users and resources.

To create a policy and add it to an existing domain

  1. Click Policies, Domains.
  2. Click Domain, Modify Domain.

    The Modify Domain pane opens.

  3. Specify search criteria, and click Search.

    A list of domains that match the search criteria opens.

  4. Select a domain, and click Select.

    The Modify Domain: Name pane opens.

  5. Click the Policies tab on the Domain pane.

    The Policies section opens.

  6. Click Create.

    The Create Policy pane opens.

  7. Verify that Create a new object is selected, and click OK.

    The Create Policy: Name pane opens.

  8. Type the name and a description of the policy in the fields on the General section.
  9. Click the Users tab.

    The User Directories section opens.

  10. Add users, user groups, or both to the policy, and click OK.

    The Modify Domain: Name pane reopens.

  11. Click Submit.

    The Modify Domain Task is submitted for processing.

Add Users to a Policy

You can add individual users, user groups, or both to a policy and create a policy binding between the added users and the policy. When a user tries to access a protected resource, the policy verifies that the user is part of its policy binding and then fires the rules included in the policy to see if the user is allowed to access the resource.

To add users to a policy

  1. Click the Users tab on the Policy pane.

    The User Directories pane opens and contains group boxes for each user directory associated with the policy domain.

  2. Add users or groups from the user directory to the policy.

    From within each user directory group box, you can choose Add Members, Add Entry, Add All. Depending on which method you use to add users to the policy, a dialog box will open enabling you to add users.

    Note: If you select Add Members, the User/Groups pane opens. Individual users are not displayed automatically. Use the search utility to find a specific user within one of the directories.

    You can edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.

  3. Select individual users, user groups, or both using whatever method and click OK.

    The User Directories pane reopens and lists the policy's new users on the user directory's group box.

The task of binding users to the policy is complete.

More information:

View User Directory Contents

Policy Binding Establishment

Add Rules to a Policy

Rules indicate the specific resources included in a policy and whether to allow or deny access to the resources when the rule fires. Responses indicate the actions you want to occur when the rule fires.

Note: Add at least one rule or rule group to a policy.

Follow these steps:

  1. Click the Rules tab on the Policy pane.

    The Rules dialog opens.

  2. Click Add Rule.

    The Available Rules pane opens.

  3. Select the individual rules, rule groups, or both that you want to add to the policy, and click OK.

    The Rules section lists the added rules and groups.

  4. (Optional) Associate the rule with a response or response group.

    Note: To remove a rule or rule group from a policy, click the minus sign (-) to the right of the rule on the Rules section. To create a rule, click New Rule on the Available Rules pane.

Associate a Rule with a Response or Response Group

You can associate a response or response group with a rule in a policy. When the rule fires, the associated response also fires.

To associate a rule with a response or response group

  1. Click Add Response for the rule or rule group for which you want to associate a response.

    The Available Responses pane opens and lists the responses and response groups that have been configured for the policy domain.

  2. Select a response or response group, and click OK.

    The response opens in the Rules group box, and is associated with the respective rule.

    Note: If the response you require does not exist, click New Response to create the response.

Associate a Rule with a Global Response

You can associate a rule with an existing global response.

To associate a rule with a global response

  1. Click the Rules tab on the Policy pane.

    The Rules group box opens.

  2. Click the Add Response button next to the rule that you want to modify.

    The Available Responses pane opens.

    Note: Global responses, responses, and group responses are listed in that order on the Available Responses pane.

  3. Select a global response, and click OK.

    The Rules group box reopens, and the selected response is added to the rule.

  4. Click Submit.

    The Modify Policy Task is submitted for processing.

More information:

Global Policies, Rules, and Responses

Add an Expression to a Policy

You can create a Boolean expression and add it to a policy. Boolean expressions operate on variables, and the values of the variables at the time that the policy is processed affect the outcome of the processing. Thus, Boolean expressions influence policy decisions.

To add an expression to a policy

  1. Click the Expression tab on the Policy pane.

    The Expression group box opens.

  2. Click Edit.

    The Policy Expression pane opens.

  3. Type variable names in the fields on the Condition group box, or click Variable Lookup, select an operator from the drop-down list, and click Add.

    The condition is added to the Infix Notation group box.

    Note: To create multiple conditions, repeat this step.

  4. Select the conditions and click the buttons on the Infix Notation group box to create an expression.
  5. Click OK.

    The Expression group box reopens, and the expression is displayed in the field on the group box.

  6. Click Submit.

    The Modify Policy task is submitted for processing.