Modifying a Normal Policy

Through the Policies tab, you can modify a normal policy that defines access permissions. You can define and configure multiple rules, subjects, conditions and resource comparators. This section lists and describes the steps to do so.

To Add or Modify a Rule to a Normal Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the rule. If not, see To Create a Normal Policy With the Access Manager Console.

2. Under the Rules menu, click New.

3. Select one of the following default service types for the rule. You may see a larger list if more services are enabled for the policy:

   Discovery Service

   Defines the authorization actions for Discovery service query and modify protocol invocations by web services clients for a specified resource.

   Liberty Personal Profile Service

   Defines the authorization actions for Liberty Personal Profile service query and modify protocol invocations by web services clients for a specified resource.

   URL Policy Agent

   Provides the URL Policy Agent service for policy enforcement. This service allows administrators to create and manage policies through a policy enforcer or policy agent.

4. Click Next.

5. Enter a name and resource name for the rule.

   Currently, Policy Agents only support http:// and https:// resources and do not support IP addresses in place of the hostname.

   Wildcards are supported for host, port, and resource names. For example:

   http*://*:*/*.html

   For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.

6. Select the action for the rule. If you are using the URL Policy Agent service, you can select the following:

   • GET

   • POST

7. Select the Action Values.

   • Allow — Enables you to access the resource matching the resource defined in the rule.

   • Deny — Denies access to the resource matching the resource defined in the rule.

   • Denial rules always take precedence over allow rules. For example, if you have two policies for a given resource, one denying access and the other allowing access, the result is a deny access (provided that the conditions for both policies are met). It is recommended that deny policies be used with extreme caution as they may lead to potential conflicts between the policies. The policy definition process should only use allow rules. If no policy is applicable to a resource, access is automatically denied.

     If explicit deny rules are used, policies that are assigned to a given user through different subjects (such as role and/or group membership) may result in denied access to a resource even if one or more of the policies allow access. For example, if there is a deny policy for a resource applicable to an Employee role and there is another allow policy for the same resource applicable to Manager role, policy decisions for users assigned both Employee and Manager roles would be denied.

     One way to resolve such problems is to design policies using Condition plug-ins. In the case above, a “role condition” that applies the deny policy to users authenticated to the Employee role and applies the allow policy to users authenticated to the Manager role helps differentiate the two policies. Another way could be to use the authentication level condition, where the Manager role authenticates at a higher authentication level.

8. Click Finish.

To Add or Modify a Subject to a Normal Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the subject. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console.

2. Under the Subject list, click New.

3. Select one of the default subject types. For descriptions of the subject types, see Subjects

4. Click Next.

5. Enter a name for the subject.

6. Select or deselect the Exclusive field.

   If this field is not selected (default), the policy applies to an identity that is a member of the subject. If the field is selected, the policy applies to an identity that is not a member of the subject.

   If multiple subjects exist in the policy, the policy applies to the identity when the identity is a member of at least one subject.

7. Perform a search in order to display the identities to add to the subject. This step is not applicable for the Authenticated Users subject or Web Services Client subjects.

   The default (*) search pattern will display all entries.

8. Select the individual identities you wish to add for the subject, or click Add All to add all of the identities at once. Click Add to move the identities to the Selected list. This step is not applicable for the Authenticated Users subject.

9. Click Finish.

10. To remove a subject from a policy, select the subject and click Delete. You can edit any subject definition by clicking on the subject name.

To Add a Condition to a Normal Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the condition. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console

2. Under the Conditions list, click New.

3. Select the condition type and click Next.

4. Define the fields for the condition type. For a description of the condition types, see Conditions.

5. Click Finish.

To Add a Response Provider to a Normal Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the response provider. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console.

2. Under the Response Providers list, click New.

3. Enter a name for the response provider.

4. Define the following values:

   StaticAttribute

   The response attribute with name and values defined in the instance of IDResponseProvider and stored in the policy.

   DynamicAttribute

   The response attributes chosen here need to first be defined in the Policy Configuration Service for the corresponding realm. The attribute names defined should be the same as those existing in the configured datastore. For details on how to define the attributes see the Policy Configuration attribute definitions in the Access Manager online help.

5. Click Finish.

6. To remove response provider from a policy, select the subject and click Delete. You can edit any response provider definition by clicking on the name.