|
|
|
When you create rules that include OnAccessReject events, sometimes referred to as OnAccessReject rules, you must take into account how the Policy Server processes policies. This section outlines the special circumstances created by OnAccessReject rules.
An OnAccessReject rule will not fire if it is in the same policy as a GET / POST rule. When a user is authenticated, SiteMinder resolves the identity of the user. Therefore, if the OnAccessReject rule and the GET / POST rule are in the same policy, then a user who is allowed access to a resource is the same user who should be redirected on an OnAccessReject event. Since the user is allowed access, the reject event never applies.
To resolve this discrepancy, create a separate policy for the OnAccessReject rule (may also include other event rules) and specify the users for which it should apply.
For example, in an LDAP user directory, User1 should have access to a resource and everyone else in the group, ou=People, o=company.com, should be redirected to an OnAccessReject page. Two policies are required:
Includes a GET / POST rule that allows access for User1.
Includes the OnAccessReject rule and a Redirect response, and specifies the group, and ou=People, o=company.com.
Since User1 is authorized, the OnAccessReject rule will not fire when User1 access the resource. However, the OnAccessReject rule will fire for all other users in the group, ou=People, o=company.com, because they are not authorized to access the resource.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |