Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Administration Guide |
Chapter 19 URL Policy Agent Attributes
URL Policy Agent attributes are policy attributes. Policy attributes are privilege attributes. They deny or allow users access to web resources. They are configured through the Policy Management view. When a policy is created, policy attributes may be assigned to organizations via Show Policies in the User Management view.Policy attributes list resources that are assigned the same action. When you specify an action for a resource, you effectively specify which attribute will list the resource as one of its values. The URL Policy Agent attributes are:
URL Policy Agent Action: Allow
URL Policy Agent Action: Allow
This attribute lists the URLs that a user is allowed to access. If the URL that an authenticated user wants to access matches a URL listed here and the request is not explicitly denied by another rule, access is granted. The default value is * (all). The field will take any URL that a user should be allowed to access.The Allow list is checked after the Not Enforced list and the Deny list. If a matching URL is not found after the Allow list is checked, the access request is denied.
URL Policy Agent Action: Deny
This attribute lists the URLs a user is not allowed to access. If the URL that an authenticated user wants to access matches an URL listed here, access is denied. The default value is /config, denying access to the configuration files. The field will take any URL to which a user should be denied access. (The Deny list is checked after the Not Enforced list.)
URL Policy Agent Action: Not Enforced
This attributes lists URLs that can be accessed by any user who is in the organization or assigned the role to which this policy applies. The following URLs are default values of the Not Enforced attribute:
http://<host>:<port>/amserver/console*
Allowing all users access to these URLs makes user authentication possible.http://<host>:<port>/amserver/login*
http://<host>:<port>/amserver/images*
http://<host>:<port>/amserver/admin*
http://<host>:<port>/amserver/docs*
http://<host>:<port>/amserver/logout
http://<host>:<port>/amserver/index.html
http://<host>:<port>/amserver/namingservice
http://<host>:<port>/amserver/loggingservice
http://<host>:<port>/amserver/sessionservice
Additional Information
Below is additional information specific to policy attributes.
Hierarchy Of Enforcement
In the enforcement of policy, the first URL list checked is Not Enforced, followed by the Deny list and, lastly, the Allow list. Deny privileges takes precedence over allow privileges. An empty Deny list will allow only those resources that are allowed by the Allow list. An empty Allow list will not allow access to any resources except those in the Not Enforced list. By default, the Allow list would contain the "*" entry, allowing access to all resources. However, as the Deny list takes precedence over the Allow list, anything in the Deny list will not be accessible. If the URL access policy cannot be resolved between the Deny and Allow lists, access will not be allowed to the resource.
Configuring Policy Attributes
The Allow and Deny attributes support the use of the asterisk (*) wildcard to represent one or more characters. Use the wildcard to specify resources so that rules can be more flexible. You can use one or more wildcards anywhere in the resource name. For example:If you specify part of an URL without using the wildcard character, the rule applies only to resources that are an exact match. For example, the following URL:
matches any URL that begins http://www.madisonparc.com/
- http://www.madisonparc.com/*
matches only http://www.madisonparc.com/
- http://www.madisonparc.com/
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 09, 2002