Previous Topic: Create an Attribute Mapping for Group MembershipNext Topic: Application Security Policies with User Mapping and Named Expressions

Policy Server GuidesPolicy Server Configuration GuideEnterprise Policy ManagementUse Cases for Defining Application Security Policies Using Application ObjectsApplication Security Policies Based on RolesCreate Employee and Manager Roles

Create Employee and Manager Roles

After defining the specific components of an application that require protection, you can specify the roles that users may be assigned. Roles are the set of users who have access to a particular resource. These sets of users are defined by an expression.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create a role

  1. Click the Roles tab.
  2. Click Create.

    The Create Role pane appears.

  3. Verify that the Create radio button is selected, and click OK.
  4. Enter values for the fields in the General group box. For this use case, enter the following:
    Name

    Employees

    Description

    All employees of Acme Financial Services

  5. Enter an expression in the Membership group box. For this use case, enter the following:
    Expression

    TRUE

    To form an expression, you can use the Expression Editor. To access the editor, click Edit.

  6. Click Submit.
  7. Repeat steps 2–4 to create a second role called Managers, as follows:
    Name

    Managers

    Description

    Managers of Acme Financial Services

    Expression

    BOOLEAN(IsManager)

    IsManager is the attribute mapping that was defined for the LDAP user directory.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

More information:

Create an Attribute Mapping for Group Membership

Use a Response to Supply Data to the Application

To make the human resources application more user friendly for employees of Acme Financial Services, you can configure a response that provides the employees ID on their benefit records.

To create a response that provides the employee ID:

  1. Click on the Response tab from the Application dialog.
  2. Click Create Response.

    The Create Response dialog opens.

  3. Complete the field as follows:
    Name

    Employee ID

    Description

    Lists the employee ID.

  4. Click Create Response Attribute.

    The Create Response Attribute dialog opens.

  5. Complete the fields as follows:
    Attribute

    WebAgent-HTTP-Header-Variable

    Attribute Kind

    User Attribute

    Attribute Fields—Variable Name

    Personnel_Key

    Attribute Fields—Variable Value

    EmployeeID

    Note: Complete descriptions of response attributes exist in the Web Agent Configuration Guide.

  6. Keep the defaults for all the other fields.
  7. Click OK until you return to the main Response tab.

The response named Employee ID has been created. When an employee views her benefits information, the data from this response is returned to the human resources application and her customer ID will be displayed in the benefits record.

Establish a Policy Based on Roles

After you have defined the resources and roles, you can group these objects into application security policies.

To create the application security policies

  1. Click the Policies tab.

    The Policies pane opens and displays a table listing the configured resources and roles. This table lets you quickly see which roles can be granted access to which resources.

  2. Do the following:
    1. Check the Employees role in the Benefits Management row to create a policy that allows all employees to manage their benefits.
    2. Check the Managers role in the Performance Appraisals row to create a policy that allows only managers to access the performance appraisals.
  3. Click Submit.

You have created two security policies for the human resources application based on roles.

Note: If you need to edit resources or roles, you must make the changes on the respective tabs and not on the Policies pane.

Include Metadata that Describes the Application

Acme-financial.com wants to ensure that there is some descriptive information about the internal human resources application. Custom attributes can be used to define metadata that describes the application.

The information that Acme-financial wants for the purpose of the application and the date the application was completed.

Follow these steps:

  1. Click the Custom Attributes tab.

    The Custom Attributes dialog opens.

  2. Click Create.

    A table appears with Name and Value fields.

  3. Enter values for the fields in the custom attributes table. For this use case, enter the following:
    Name

    App_Completed

    Value

    November_22_2007

  4. Click Create to add another row to the table then enter the following:
    Name

    Purpose

    Value

    Human_Resource_Mgmt

  5. Click Submit.