test

Sun Java System Access Manager 7 2005Q4 Developer's Guide

Adding a Policy-Enabled Service to Access Manager

You can load into Access Manager a service that already contains policy schema. Access Manager provides a sample XML file for a new service that contains policy schema. You can modify AccessManager-base/SUNWam/samples/policy/SampleWebService.xml to fit your needs, and then add your service to Access Manager.

The Policy element contains AttributeSchema elements to define applicable actions and values for actions. While defining policies, you can define access rules for those actions.

Examples include canForwardEmailAddress and canChangeSalaryInformation . The actions specified by these attributes can be associated with a resource if the IsResourceNameAllowed element is specified in the attribute definition. For example, in the web agent XML service file, amWebAgent.xml , GET and POST are defined as policy attributes with an associated URL resource as IsResourceNameAllowed is specified.

Example 6–2 SampleWebService.xml

<!DOCTYPE ServicesConfiguration
    PUBLIC "=//iPlanet//Service Management Services (SMS) 1.0 DTD//EN"
    "jar://com/sun/identity/sm/sms.dtd">

<ServicesConfiguration>
    <Service name="SampleWebService" version="5.0">
        <Schema 
            serviceHierarchy="/DSAMEConfig/SampleWebService"
            i18nFileName="SampleWebService" 
            i18nKey="SampleWebService">*
	    <Global>
		<AttributeSchema name="serviceObjectClasses"  type="list" syntax="string"
								i18nKey="SampleWebService"/>
            </Global>
	    <Policy>
		<AttributeSchema name="GET"
                    type="single"
                    syntax="boolean"
                    uitype="radio"
                    i18nKey="get">
                    <IsResourceNameAllowed/>
                    <BooleanValues>
                        <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue>
                        <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue>
                    </BooleanValues>
		</AttributeSchema>

		<AttributeSchema name="POST"
		    type="single"
                    syntax="boolean"
                    uitype="radio"
		    i18nKey="post">
		    <IsResourceNameAllowed/>
                    <BooleanValues>
                        <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue>
                        <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue>
                    </BooleanValues>
		</AttributeSchema>

		<AttributeSchema name="PUT"
		    type="single"
                    syntax="boolean"
                    uitype="radio"
		    i18nKey="put">
		    <IsResourceNameAllowed/>
                    <BooleanValues>
                        <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue>
                        <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue>
                    </BooleanValues>
		</AttributeSchema>

		<AttributeSchema name="DELETE"
		    type="single"
                    syntax="boolean"
                    uitype="radio"
		    i18nKey="delete">
		    <IsResourceNameAllowed/>
                    <BooleanValues>
                        <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue>
                        <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue>
                    </BooleanValues>
		</AttributeSchema>

	    </Policy>
        </Schema>
    </Service>
</ServicesConfiguration>

ProcedureTo Add a New Service to Access Manager

  1. Run the amadmin command to load that service.


    AccessManager-base/bin/amadmin
     	--runasdn "uid=amAdmin,ou=People,<default_org>,<
root_suffix>"
			--password <password>
			--schema AccessManager-base/samples/policy/SampleWebService.xml

  2. Copy the properties file to the locale directory of the Access Manager installation.

    cp SampleWebService.properties AccessManager-base/locale

  3. Create a service XML files that conforms to AccessManager-base/dtd/sms.dtd, and contains the <Policy> element. See example below.

  4. Create and copy locale properties file to AccessManager-base/locale.

  5. Use amadmin to load the service into Access Manager.

    Once the new service is added, you can define rules for the new service in policy definitions.

Example 6–3 XML for Policy-Enabled Service

/etc/opt/SUNWam/config/xml/amWebAgent.xml (Solaris) /etc/opt/sun/identity/config/xml/amWebAgent.xml on (Linux) 

<!DOCTYPE ServicesConfiguration
    PUBLIC "=//iPlanet//Service Management Services (SMS) 1.0 DTD//EN"
    "jar://com/sun/identity/sm/sms.dtd">

<ServicesConfiguration>
    <Service name="iPlanetAMWebAgentService" version="1.0">
	<Schema
            i18nFileName="amWebAgent"
            i18nKey="iplanet-am-web-agent-service-description">
	<Global>
		<AttributeSchema name="serviceObjectClasses"
                    type="list"
                    syntax="string"
	i18nKey="">
                    <DefaultValues>
			<Value>iplanet-am-web-agent-service</Value>
	</DefaultValues>
		</AttributeSchema>
            </Global>

            <Policy>
		<AttributeSchema name="GET"
                    type="single"
	syntax="boolean"
                    uitype="radio"
                    i18nKey="GET">
	<IsResourceNameAllowed/>
                    <BooleanValues>
			<BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue>
			<BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue>
                    </BooleanValues>
		</AttributeSchema>
		<AttributeSchema name="POST"
                    type="single"
	syntax="boolean"
                    uitype="radio"
                    i18nKey="POST">
	<IsResourceNameAllowed/>
                    <BooleanValues>
       			<BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue>
			<BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue>
                    </BooleanValues>
		</AttributeSchema>
            </Policy>
	</Schema>
    </Service>
</ServicesConfiguration>