|
|
|
SiteMinder uses a policy-based access control model. A SiteMinder policy defines the type of access a user has to a particular resource and what happens when the user accesses the resource. Each standard SiteMinder policy is a linkage between a set of users and a set of resources, and is designed to protect resources by binding together users, rules and responses. Every policy must specify the users or groups of users to which the policy applies. Users can be either included or excluded from the policy.
In addition, a standard policy must contain at least one rule or rule group. Rules are the parts of a policy that determine precisely which resources are protected and what type of action should cause a rule to fire. A rule identifies a resource or resources that are included in the policy using a combination of a string-based resource filter and action. The filter in turn consists of realm filter and rule filter. For information about realms, rules, and responses in standard SiteMinder policies, see the following:
SiteMinder objects can be of two types: system level and domain level. In a standard (non-global) SiteMinder policy, all policy objects must be created in the context of a specific domain. However, global policies are system level policies that may be applied across all domains in a SiteMinder deployment. An administrator with system level privileges can define global policies, that include global rules and global responses. These global policies may be applied to any resource in any domain.
Global objects are similar to their standard, domain-specific counterparts. The roles of global objects in a global policy definition are different from domain-specific policy objects in the way they are created and linked to form policies. However, there are no global domain or global realm objects.
The following summarizes the differences between domain-specific and global policy objects.
|
Policy Object |
Domain Specific |
Global |
|
All |
Created by domain administrators in the context of the specific domain. |
Created by the system administrator at the system level. |
|
Response |
Can use variables-based attributes. |
Cannot use variables-based attributes. |
|
|
Can be used only in domain specific policy. |
Can be used in any global or domain-specific policy. |
|
|
Can be a member of a domain specific response group only. |
Can be a member of any global or domain specific response group. |
|
Rule |
The resource filter is bound to a specific realm (realm filter + rule filter). |
The resource filter is absolute (not bound to a specific realm). |
|
|
Associated with an agent through the realm. |
Associated with specific agent or agent group. Agent is explicitly specified when defining a rule |
|
|
Can be defined as access rule or event rule. |
Can be defined for authentication and authorization events only (event rule). |
|
|
Can be used in domain specific policies only. |
Can be used in global policies only. |
|
|
Can be a member of a domain specific rule group only. |
Can be a member of a global rule group only. |
|
|
Fires only for resources defined within a specific domain. |
Can fire for resources on any domain for which global policy processing is enable. |
|
Policy |
Bound to specific users or groups of users. |
Bound to all the users. |
|
|
Users can be included or excluded from the policy. |
User cannot be included or excluded from the policy. |
|
|
Can be defined using domain-specific rules/rule groups, domain-specific responses/response groups and global responses/response groups. |
Can be defined only using global rules, global responses and groups of these objects. |
|
|
Can use variable expressions |
Cannot use variable expressions |
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |