Policy Server GuidesPolicy Design GuideGlobal Policies, Rules, and ResponsesConfigure Global PoliciesGlobal Rule Objects › Create a Global Rule for Authorization Event Actions

Previous Topic: Global Rules for Authentication Event Actions

Next Topic: Policy Considerations When Configuring Global OnAccessReject Rules
Create a Global Rule for Authorization Event Actions

Global rules that include SiteMinder authorization events allow SiteMinder to call responses based on whether a user is or is not authorized for the resource the user requested. Authorization events occur after a user is authenticated, if a rule that protects a resource contains an On-Access event. When the user has been granted or denied access based on their privileges, the appropriate event is triggered.

The following is a list of possible On-Access events:

On-Access-Accept

Occurs as the result of successful authorization. This event may be used to redirect users who are authorized to access a resource.

On-Access-Reject

Occurs as the result of failed authorization. This event may be used to redirect users who are not authorized to access a resource.

When a user is authorized (or rejected), the Policy Server passes any responses associated with the applicable On-Access rule back to the requesting Agent.

Note: When you create or modify a Policy Server object in the Policy Server User Interface, use ASCII characters. Object creation or modification with non-ASCII characters is not supported.

To create a global rule for authorization event actions

  1. Log into the Policy Server User Interface.
  2. In the Object pane, click on the Global Policies tab.
  3. Click on the Global Rules icon.

  4. From the Edit menu, select Create Rule.

    The Global Rule dialog opens.

  5. In the Name field, enter the name of the new global rule.
  6. Optionally, in the Description field, enter a brief description of the new global rule.
  7. In the Agent field, enter the name of the Agent or Agent Group for which the global rule should apply.

    To search for an Agent or Agent Group name, you can click the Lookup button.

    If you specify an Agent Group in a global rule and you have also configured domain-specific rules associated with the same resource, you can adversely affect system performance by effectively duplicating processing steps. When configuring global rules and global policies, be sure to consider domain-specific rules that may duplicate the responses generated by global rules. Note that in such cases, only one response is returned to the Agent, since the Policy Server automatically deletes duplicate responses before passing information back to a requesting Agent.

  8. In the Resource Filter field, enter the filter that will determine the resources affected by the global rule.

    A resource can be a specific file or an expression that uses resource matching.

  9. In the Action group box, select the Authorization Events radio button.
  10. In the Action group box, select an OnAccess action from the drop-down list to the right of the radio buttons.
  11. Click Apply to save the rule, or click OK to save the rule and return to the SiteMinder Administration window.

More information:

Responses and Response Groups

Start the Policy Server User Interface

Global Rule Dialog

Resource Matching and Regular Expressions