Policy Server GuidesPolicy Design GuidePoliciesPolicy ProcessingSample SiteMinder Configuration with Nested Realms › Policies and Responses

Previous Topic: Nested Realms and Resources

Next Topic: Authentication Processing for Hierarchical Policies
Policies and Responses

The policies and responses used in the examples in the remainder of the chapter are illustrated in the following diagram and described below.

The following is a description of each of the sample policies and the objects contained in each policy.

Employee Policy

This policy contains a Get rule that protects the employee.html resource. This resource is located in the /employees realm. The policy binds the user group cn=employees, so that all employees in the LDAP directory can access the resource once they are successfully authenticated. When an authenticated user is authorized by this policy, SiteMinder returns a response of the user’s email address.

For example, if employee1 attempts to access
/home/employees/employee.html and is successfully authenticated, the Policy Server allows employee1 to access the resource and returns the email address: employee1@myorg.org

A Web application can use this response for customization when accessing other company resources.

Manager Policy

This policy contains a Get rule that protects the manager.html resource. This resource is located in the /manager realm. The policy binds the user group cn=managers so that only employees contained in cn=managers group can access the resource once they are successfully authenticated.

When an authenticated manager is authorized by this policy, SiteMinder returns a static response. In the example, if employee3 attempts to access /home/employees/managers/manager.html and is successfully authenticated, the Policy Server allows employee3 to access the resource and returns the following response:

manager=YES

An application can use this response to activate features that are only available to company managers.

Restricted Policy

This policy contains a Get rule that protects the restricted.html resource. This resource is located in the /restricted realm.

The policy binds only the employees in the directory who have an access level user attribute of two (a_lvl=2). Managers with the correct access level can access the resource once they are successfully authenticated. When a user attempts to access the restricted.html resource, SiteMinder returns a response of a_lvl=<0-2>. For example, if employee4 attempts to access /home/employees/managers/restricted/restricted.html and is successfully authenticated, the Policy Server allows employee4 to access the resource and returns the following response:

a_lvl=2

An application can use this response to activate features that are only available employees with an access level of two.