Creating Policies

You can create, modify and delete policies through the Policy API and the Access Manager console, and create and delete policies through the amadmin command line tool. You can also get and list policies in XML using the amadmin utility. This section focuses on creating policies through the amadmin command line utility and through the Access Manager console. For more information on the Policy APIs, see the Sun Java System Access Manager 7.1 Developer’s Guide.

Policies are generally created using an XML file and added to Access Manager through the amadmin command line utility and then managed using the Access Manager console (although policies can be created using the console). This is because policies cannot be modified using amadmin directly. To modify a policy, you must first delete the policy from Access Manager and then add the modified policy using amadmin.

In general, policy is created at the realm (or sub realm) level to be used throughout the realm’s tree.

To Create Policies with amadmin

1. Create the policy XML file based on the amadmin.dtd. This file is located in the following directory:

   AccessManager-base /SUNWam/dtd.

   The following is an example of a policy XML file. This example contains all of the default subject and condition values. For definitions of these values, see Policy Types.

   <Policy name="bigpolicy" referralPolicy="false" active="true" >
   <Rule name="rule1">
   <ServiceName name="iPlanetAMWebAgentService" />
   <ResourceName name="http://thehost.thedomain.com:80/*.html" />
   <AttributeValuePair>
   <Attribute name="POST" />
   <Value>allow</Value>
   </AttributeValuePair>
   <AttributeValuePair>
   <Attribute name="GET" />
   <Value>allow</Value>
   </AttributeValuePair>
   </Rule>
   <Subjects name="subjects" description="desccription">
   <Subject name="webservicescleint" type="WebServicesClients" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/><Value>CN=sun-unix, 
   OU=SUN Java System Access Manager, O=Sun, C=US</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="amrole" type="IdentityServerRoles" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/><Value>
   cn=organization admin role,o=realm1,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="au" type="AuthenticatedUsers" includeType="inclusive">
   </Subject>
   <Subject name="ldaporganization" type="Organization" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldapuser" type="LDAPUsers" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>uid=amAdmin,ou=People,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldaprole" type="LDAPRoles" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>cn=Organization Admin Role,o=realm1,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldapgroup" type="LDAPGroups" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>cn=g1,ou=Groups,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="amidentitysubject" type="AMIdentitySubject" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>id=amAdmin,ou=user,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   </Subjects>
   <Conditions name="conditions" description="description">
   <Condition name="ldapfilter" type="LDAPFilterCondition">
   <AttributeValuePair><Attribute name="ldapFilter"/>
   <Value>dept=finance</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelge-nonrealmqualified" type="AuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>1</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelle-realmqaulfied" type="LEAuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>/:2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="sessionproperties" type="SessionPropertyCondition">
   <AttributeValuePair><Attribute name="valueCaseInsensitive"/>
   <Value>true</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="a"/><Value>10</Value>
   <Value>20</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="b"/><Value>15</Value>
   <Value>25</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="activesessiontime" type="SessionCondition">
   <AttributeValuePair><Attribute name="TerminateSession"/>
   <Value>session_condition_false_value</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="MaxSessionTime"/>
   <Value>30</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authelevelle-nonrealmqualfied" 
              type="LEAuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="ipcondition" type="IPCondition">
   <AttributeValuePair><Attribute name="DnsName"/>
   <Value>*.iplanet.com</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndIp"/>
   <Value>145.15.15.15</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartIp"/>
   <Value>120.10.10.10</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authchain-realmqualfied"
             type="AuthenticateToServiceCondition">
   <AttributeValuePair><Attribute name="AuthenticateToService"/>
   <Value>/:ldapService</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="auth to realm" 
         type="AuthenticateToRealmCondition">
   <AttributeValuePair><Attribute name="AuthenticateToRealm"/>
   <Value>/</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelge-realmqualified"
         type="AuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>/:2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authchain-nonrealmqualfied" 
        type="AuthenticateToServiceCondition">
   <AttributeValuePair><Attribute name="AuthenticateToService"/>
   <Value>ldapService</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="timecondition" type="SimpleTimeCondition">
   <AttributeValuePair><Attribute name="EndTime"/>
   <Value>17:00</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartTime"/>
   <Value>08:00</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndDate"/>
   <Value>2006:07:28</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EnforcementTimeZone"/>
   <Value>America/Los_Angeles</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartDay"/>
   <Value>mon</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartDate"/>
   <Value>2006:01:02</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndDay"/>
   <Value>fri</Value>
   </AttributeValuePair>
   </Condition>
   </Conditions>
   <ResponseProviders name="responseproviders"
          description="description">
   <ResponseProvider name="idresponseprovidere" 
        type="IDRepoResponseProvider">
   <AttributeValuePair>
   <Attribute name="DynamicAttribute"/>
   </AttributeValuePair>
   <AttributeValuePair>
   <Attribute name="StaticAttribute"/>
   <Value>m=10</Value>
   <Value>n=30</Value>
   </AttributeValuePair>
   </ResponseProvider>
   </ResponseProviders>
   </Policy>

2. Once the policy XML file is developed, you can use the following command to load it:

   AccessManager-base/SUNWam/bin/amadmin --runasdn "uid=amAdmin,ou=People,default_org, root_suffix" --password password --data policy.xml

   To add multiple policies simultaneously, place the policies in one XML file, as opposed to having one policy in each XML file. If you load policies with multiple XML files in quick succession, the internal policy index may become corrupted and some policies may not participate in policy evaluation.

   When creating policies through amadmin, ensure that the authentication module is registered with the realm while creating authentication scheme condition; that the corresponding LDAP objects realms, groups, roles and users) exist while creating realms, LDAP groups, LDAP roles and LDAP user subjects; that Access Manager roles exist while creating IdentityServerRoles subjects; and that the relevant realms exist while creating sub realm or peer realm referrals.

   Please note that in the text of Value elements in SubrealmReferral, PeerRealmReferral, Realm subject, IdentityServerRoles subject, LDAPGroups subject, LDAPRoles subject and LDAPUsers subject need to be the full DN.

To Create a Normal Policy With the Access Manager Console

1. Choose the realm for which you would like to create a policy.

2. Click the Policies tab.

3. Click New Policy from the Policies list.

4. Add a name and a description for the policy.

5. If you wish the policy to be active, select Yes in the Active attribute.

6. It is not necessary to define all of the fields for normal policies at this time. You may create the policy, then add rules, subjects, conditions, and response providers later. See Managing Policies for more information.

7. Click OK.

To Create a Referral Policy With the Access Manager Console

1. Choose the realm for which you would like to create the policy.

2. Click New Referral from the Policies tab.

3. Add a name and a description for the policy.

4. If you wish the policy to be active, select Yes in the Active attribute.

5. It is not necessary to define all of the fields for referral policies at this time. You may create the policy, then add rules and referrals later. See Managing Policies for more information.

6. Click OK.

Creating Policies for Peer Realms and Sub Realms

In order to create policies for peer or sub realms, you must first create a referral policy in the parent (or another peer) realm. The referral policy must contain, in its rule definition, the resource prefix that is being managed by the sub realm. Once the referral policy is created in the parent realm (or another peer realm) normal policies can be created at the sub realm (or peer realm).

In this example, o=isp is the parent realm and o=example.com is the sub realm that manages resources and sub-resources of http://www.example.com.

To Create a Policy for a Sub Realm

1. Create a referral policy at o=isp. For information on referral policies, see the procedure Modifying a Referral Policy.

   The referral policy must define http://www.example.com as the resource in the rule, and must contain a SubRealmReferral with example.com as the value in the referral.

2. Navigate to the sub realm example.com.

3. Now that the resource is referred to example.com by isp, normal policies can be created for the resource http://www.example.com , or for any resource starting with http://www.example.com .

   To define policies for other resources managed by example.com, additional referral policies must be created at o=isp.

Exporting Policies to Other Access Manager instances

Access Manager allows you to export policies using the amadmin command line tool This is useful when you wish to move many existing policies to another Access Manager instance, or if you wish to inspect changes that you have made to existing policies in batch mode. To export policies, use the amadmin command line utility to export the specified policies to a file. The syntax is:

amamdin - u username —w password —ofilename output_file.xml —t policy_data_file.xml

You can use the wildcard (*) in the policy name to match any string of characters.

The following is an example of the policy_data_file.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!--
    Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
    Use is subject to license terms.
-->

<!DOCTYPE Requests
    PUBLIC "-//iPlanet//Sun Java System Access Manager 6.2 Admin CLI DTD//EN"
    "/opt/SUNWam/dtd/amAdmin.dtd"
>>

<!--  CREATE REQUESTS -->

<!-- to export to file use option -ofilename fileName -->

<Requests>    

<RealmRequests >    
<RealmGetPolicies realm="/" >
<AttributeValuePair>
<Attribute name="policyName"/>
<Value>p*</Value>
</AttributeValuePair>
</RealmGetPolicies>
</RealmRequests>

<RealmRequests >    
<RealmGetPolicies realm="/" >
<AttributeValuePair>
<Attribute name="policyName"/>
<Value>g10</Value>
<Value>g11</Value>
</AttributeValuePair>
</RealmGetPolicies>

</RealmRequests>
<RealmRequests >    
<RealmGetPolicies realm="/realm1" >
<AttributeValuePair>
<Attribute name="policyName"/>
<Value>*</Value>
</AttributeValuePair>
</RealmGetPolicies>
</RealmRequests>

</Requests>

The policies are exported to the Output_file.xml file. You can now make any changes to policy definitions contained in the file. You must alter the output file so that it is compatible with the amadmin command utility before importing the policies to another Access Manager instance. For instructions on how to import the policies, including an example of an amadmin-compatible policy data file, see To Create Policies with amadmin