Once a normal or referral policy is created and added to Access Manager, you can manage the policy through the Access Manager console by modifying the rules, subjects, conditions and referrals.
Through the Policies tab, you can modify a normal policy that defines access permissions. You can define and configure multiple rules, subjects, conditions and resource comparators. This section lists and describes the steps to do so.
If you have already created the policy, click the name of the policy for which you wish to add the rule. If not, see To Create a Normal Policy With the Access Manager Console.
Under the Rules menu, click New.
Select one of the following default service types for the rule. You may see a larger list if more services are enabled for the policy:
Defines the authorization actions for Discovery service query and modify protocol invocations by web services clients for a specified resource.
Defines the authorization actions for Liberty Personal Profile service query and modify protocol invocations by web services clients for a specified resource.
Provides the URL Policy Agent service for policy enforcement. This service allows administrators to create and manage policies through a policy enforcer or policy agent.
Click Next.
Enter a name and resource name for the rule.
Currently, Policy Agents only support http:// and https:// resources and do not support IP addresses in place of the hostname.
Wildcards are supported for host, port, and resource names. For example:
http*://*:*/*.html |
For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.
Select the action for the rule. If you are using the URL Policy Agent service, you can select the following:
GET
POST
Select the Action Values.
Allow — Enables you to access the resource matching the resource defined in the rule.
Deny — Denies access to the resource matching the resource defined in the rule.
Denial rules always take precedence over allow rules. For example, if you have two policies for a given resource, one denying access and the other allowing access, the result is a deny access (provided that the conditions for both policies are met). It is recommended that deny policies be used with extreme caution as they may lead to potential conflicts between the policies. The policy definition process should only use allow rules. If no policy is applicable to a resource, access is automatically denied.
If explicit deny rules are used, policies that are assigned to a given user through different subjects (such as role and/or group membership) may result in denied access to a resource even if one or more of the policies allow access. For example, if there is a deny policy for a resource applicable to an Employee role and there is another allow policy for the same resource applicable to Manager role, policy decisions for users assigned both Employee and Manager roles would be denied.
One way to resolve such problems is to design policies using Condition plug-ins. In the case above, a “role condition” that applies the deny policy to users authenticated to the Employee role and applies the allow policy to users authenticated to the Manager role helps differentiate the two policies. Another way could be to use the authentication level condition, where the Manager role authenticates at a higher authentication level.
Click Finish.
If you have already created the policy, click the name of the policy for which you wish to add the subject. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console.
Under the Subject list, click New.
Select one of the default subject types. For descriptions of the subject types, see Subjects
Click Next.
Enter a name for the subject.
Select or deselect the Exclusive field.
If this field is not selected (default), the policy applies to an identity that is a member of the subject. If the field is selected, the policy applies to an identity that is not a member of the subject.
If multiple subjects exist in the policy, the policy applies to the identity when the identity is a member of at least one subject.
Perform a search in order to display the identities to add to the subject. This step is not applicable for the Authenticated Users subject or Web Services Client subjects.
The default (*) search pattern will display all entries.
Select the individual identities you wish to add for the subject, or click Add All to add all of the identities at once. Click Add to move the identities to the Selected list. This step is not applicable for the Authenticated Users subject.
Click Finish.
To remove a subject from a policy, select the subject and click Delete. You can edit any subject definition by clicking on the subject name.
If you have already created the policy, click the name of the policy for which you wish to add the condition. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console
Under the Conditions list, click New.
Select the condition type and click Next.
Define the fields for the condition type. For a description of the condition types, see Conditions.
Click Finish.
If you have already created the policy, click the name of the policy for which you wish to add the response provider. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console.
Under the Response Providers list, click New.
Enter a name for the response provider.
Define the following values:
The response attribute with name and values defined in the instance of IDResponseProvider and stored in the policy.
The response attributes chosen here need to first be defined in the Policy Configuration Service for the corresponding realm. The attribute names defined should be the same as those existing in the configured datastore. For details on how to define the attributes see the Policy Configuration attribute definitions in the Access Manager online help.
Click Finish.
To remove response provider from a policy, select the subject and click Delete. You can edit any response provider definition by clicking on the name.
You can delegate policy definitions and decisions of a realm to different realms using referral policies. Custom referrals can used to get policy decisions from any policy destination point. Once you have created a referral policy, you can add or modify associated the rules, referrals, and resource providers.
If you have already created the policy, click the name of the policy for which you wish to add the rule. If not, see To Create a Referral Policy With the Access Manager Console.
Under the Rules list, click New.
Select one of the following default service types for the rule. You may see a larger list if more services are enabled for the policy:
Defines the authorization actions for Discovery service query and modify protocol invocations by web services clients for a specified resource.
Defines the authorization actions for Liberty Personal Profile service query and modify protocol invocations by web services clients for a specified resource.
Provides the URL Policy Agent service for policy enforcement. This service allows administrators to create and manage policies through a policy enforcer or policy agent.
Click Next.
Enter a name and resource name for the rule.
Currently, Policy Agents only support http:// and https:// resources and do not support IP addresses in place of the hostname.
Wildcards are supported for resource names, port number, and protocol. For example:
http://*:*/*.html |
For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.
To allow the management of resource for all servers installed on a specific machine, you can define the resource as http://host*:*. Additionally, you can define the following resource to grant an administrator to a specific organization authority for all of the services in that organization:
http://*.subdomain.domain.topleveldomain |
Click Finish.
If you have already created the policy, click the name of the policy for which you wish to add the response provider. If you have not yet created the policy, see To Create a Referral Policy With the Access Manager Console.
Under the Rules list, click New.
Select the Service type.
Define the resource in the Rules fields. The fields are:
Referral— Displays the current referral type.
Name— Enter the name of the referral.
Resource Name— Enter the name of the resource.
Filter— Specifies a filter for the organization names that will be displayed in the Value field. By default, it will display all organization names.
Value — Select the organization name of the referral.
Click Finish.
To remove a referral from a policy, select the referral and click Delete.
You can edit any referral definition by clicking on the Edit link next to the referral name.
If you have already created the policy, click the name of the policy for which you wish to add the response provider. If you have not yet created the policy, see To Create a Normal Policy With the Access Manager Console.
Under the Response Providers list, click New.
Enter a name for the response provider.
Define the following values:
The response attribute with name and values defined in the instance of IDResponseProvider and stored in the policy.
The response attribute with only names selected in the instance of IDResponseProvider in the policy. The values are read from IDRepostitories based on the user identity request during policy evaluation.
Click Finish.
To remove response provider from a policy, select the subject and click Delete. You can edit any response provider definition by clicking on the name.