Policy Server Guides › Policy Server Configuration Guide › Enterprise Policy Management › Use Cases for Defining Application Security Policies Using Application Objects › Application Security Policies with User Mapping and Named Expressions

Application Security Policies with User Mapping and Named Expressions

In this use case, a retail clothing company wants to define a role preventing customers from making web-based credit purchases if they have exceeded their credit limit. The company policy dictates that customers have a $1,000 credit limit, while company employees may have a $2,000 credit limit.

You can create an application security policy using attribute mapping, named expressions (virtual user attributes and user classes) and roles to satisfy the company's credit policy.

Given:

• The SiteMinder environment contains two user directories.
• Directory A stores employees. Employees can also be customers. Therefore, Directory A identifies employees that are also customers that belong to:

  group:cn=Customers,ou=Groups,o=acme.com
  

• Directory B only stores customers. Directory B does not have a user attribute that identifies customers because to store a user in Directory B implies the user is a customer.

Solution:

1. Define an attribute mapping.
2. Establish a named expression.
3. Use the attribute mapping and expression to establish roles.
4. Create a response to further customize the application.
5. Create an application security policy.

More information:

Named Expressions

Establish Mappings for the Two User Directories

The retail company maintains two directories. To create a universal schema that identifies customers in both user directories use attribute mappings, which you create in the Administrative UI.

To create attribute mappings for this use case

1. Create a group membership attribute for Directory A:
   • Name the attribute IsCustomer.
   • Define IsCustomer as: cn=Customers,ou=Groups,o=acme.com
2. Create a constant attribute for Directory B:
   • Name the attribute IsCustomer.
   • Define IsCustomer as "TRUE".

IsCustomer results in a common view of the same user information. You can reference IsCustomer in an expression to determine whether a user is a customer.

Review the section Define Attribute Mappings for detailed procedures on how to configure attribute mappings.

Define Named Expressions to Check the Credit Limit

Named expressions enable SiteMinder to calculate each users credit limit and account balances. An expression can also determine if customers are over their credit limit.

To define named expressions for this use case

1. Define a virtual user attribute that calculates a $1,000 dollar credit limit for customers and a $2,000 credit limit for employees:
   • Name the attribute #CreditLimit.
   • Define #CreditLimit as:

     IsCustomer?1000:2000
     

     This calculation contains SiteMinder supported expression syntax.

2. Define a virtual user attribute that retrieves account balances from the accounting database:
   • Name the attribute #Balance
   • Define the attribute as:

     (MyLibrary.GetBalance(""))
     

     This attribute definition is an active expression defined by the clothing retailer.

3. Create a user class expression that determines if customers are over their credit limit:
   • Name the attribute @IsUnderCreditLimit
   • Define the attribute as:

     (#Balance > #CreditLimit)
     

Read Define Named Expressions for details on creating virtual user attributes and user class expressions.