To Create Policies on OpenSSO Enterprise (Sun OpenSSO Enterprise 8.0 Integration Guide)

Sun OpenSSO Enterprise 8.0 Integration Guide

Previous: To Configure the OpenSSO Enterprise Policy Agent on OpenSSO Enterprise
Next: To Disable Protection of Identity Manager Server by the OpenSSO Enterprise Policy Agent

To Create Policies on OpenSSO Enterprise

For detailed information on creating policies on OpenSSO Enterprise, see Creating Policies and Referrals in Sun OpenSSO Enterprise 8.0 Administration Guide.

Create the following roles in the realm where the users will be provisioned. If the policy is to be created in a sub-realm, then you must first create a Referral Policy in the top-level realm for the same URLs.

Identity Manager User Policy

This policy restricts access to the Identity Manager user pages, only to the users in the idm_users role. So regular Identity Manager users will not be allowed to access the Identity Manager administrator interface URIs.
1. URL Policy
  
  For http://server:port/idm/user, allow GET and POST actions .
2. URL Policy
  
  For http://server:port/idm/user/*, allow GET and POST actions .
3. URL Policy
  
  For http://server:port/idm/user/*?*, allow GET and POST actions.
Subject Type: OpensSSO Identity Subject | Role | idm_users

Identity Manager Admin Policy

This policy restricts access to the Identity Manager pages, to only the users in the idm_admins role. The users in this role will be able to access all Identity Manager pages, both administrator and user pages.
1. URL Policy
  
  For http://server:port/idm, allow GET and POST actions
2. URL Policy
  
  For http://server:port/idm/*, allow GET and POST actions
3. URL Policy
  
  For http://server:port/idm/*?*, allow GET and POST actions.
Subject Type: OpenSSO Identity Subject | Role | idm_admins