Modifying a Referral Policy

You can delegate policy definitions and decisions of a realm to different realms using referral policies. Custom referrals can used to get policy decisions from any policy destination point. Once you have created a referral policy, you can add or modify associated the rules, referrals, and resource providers.

To Add or Modify a Rule to a Referral Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the rule. If not, see To Create a Referral Policy With the Access Manager Console.

2. Under the Rules list, click New.

3. Select one of the following default service types for the rule. You may see a larger list if more services are enabled for the policy:

   Discovery Service

   Defines the authorization actions for Discovery service query and modify protocol invocations by web services clients for a specified resource.

   Liberty Personal Profile Service

   Defines the authorization actions for Liberty Personal Profile service query and modify protocol invocations by web services clients for a specified resource.

   URL Policy Agent

   Provides the URL Policy Agent service for policy enforcement. This service allows administrators to create and manage policies through a policy enforcer or policy agent.

4. Click Next.

5. Enter a name and resource name for the rule.

   Currently, Policy Agents only support http:// and https:// resources and do not support IP addresses in place of the hostname.

   Wildcards are supported for resource names, port number, and protocol. For example:

   http://*:*/*.html

   For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.

   To allow the management of resource for all servers installed on a specific machine, you can define the resource as http://host*:*. Additionally, you can define the following resource to grant an administrator to a specific organization authority for all of the services in that organization:

   http://*.subdomain.domain.topleveldomain

6. Click Finish.

To Add or Modify Referrals to a Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the response provider. If you have not yet created the policy, see To Create a Referral Policy With the Access Manager Console.

2. Under the Rules list, click New.

3. Select the Service type.

4. Define the resource in the Rules fields. The fields are:

   Referral— Displays the current referral type.

   Name— Enter the name of the referral.

   Resource Name— Enter the name of the resource.

   Filter— Specifies a filter for the organization names that will be displayed in the Value field. By default, it will display all organization names.

   Value — Select the organization name of the referral.

5. Click Finish.

   To remove a referral from a policy, select the referral and click Delete.

   You can edit any referral definition by clicking on the Edit link next to the referral name.

To Add a Response Provider to a Referral Policy

1. If you have already created the policy, click the name of the policy for which you wish to add the response provider. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console.

2. Under the Response Providers list, click New.

3. Enter a name for the response provider.

4. Define the following values:

   StaticAttribute

   The response attribute with name and values defined in the instance of IDResponseProvider and stored in the policy.

   DynamicAttribute

   The response attribute with only names selected in the instance of IDResponseProvider in the policy. The values are read from IDRepostitories based on the user identity request during policy evaluation.

5. Click Finish.

6. To remove response provider from a policy, select the subject and click Delete. You can edit any response provider definition by clicking on the name.