Modifying Policies and Referrals

Once a policy or referral is created, you can modify its components using the OpenSSO Enterprise console. Policies cannot be modified directly with ssoadm; you must first delete the policy before adding a modified version of it back. The following sections contain procedures on how to modify policies or referrals.

• Modifying Policies

• Modifying Referrals

Modifying Policies

You can modify a policy that has already been created. To Modify a Policy describes the procedure to change or delete a policy.

To Modify a Policy

Before You Begin

This procedure assumes:

• You are logged into the OpenSSO Enterprise console as the administrator.

• You have already created the policy. See Creating Policies and Referrals.

• You did not previously define the policy's rules, subjects, conditions, and response providers. See Creating Policies and Referrals.

1. Under the Access Control tab, click the name of the realm in which the policy you are modifying was created.

2. Click the Policies tab.

3. Click the name of the policy you are modifying.

   The policy's component page is displayed.

4. Under the Rules menu, click New.

   You can click the name of a Rule that has already been defined. The Rules attributes are the same whether you are defining them now or modifying definitions made in Creating Policies and Referrals. You can also select a defined Rule and delete it.

5. Select a Service Type for the rule.

   This value can not be changed once the Rule has been created. The options are:

   • Discovery Service (with resource name) defines the authorization actions for Discovery Service query and modify protocol invocations by web services clients.

   • Liberty Personal Profile Service (with resource name) defines the authorization actions for Liberty Personal Profile Service query and modify protocol invocations by web services clients.

   • URL Policy Agent (with resource name) defines authorization actions for the URL Policy Agent service. This is used to define policies that protect HTTP and HTTPS URLs. This is the most common use case of OpenSSO Enterprise policies.

   You may see a larger list if more services are enabled for the policy. (See Enabling Policy in a Service.) For more information, see Rules.

6. Click Next to display the New Rule page and modify the following components.

   1. Enter a Name for the Rule.

   2. Enter a Resource Name for the rule.

      Currently, policy agents only support http:// and https:// resources thus the value should be a URL. IP addresses are not supported. Wildcards are supported for protocol, host, port and resource name. For example:

      http*://*:*/*.html

      For the URL Policy Agent service type, the default port number is 80 for http:// and 443 for https:// if no port number is defined.

   3. Select the appropriate value for each Action.

      Actions displayed are dependent on the chosen Service Type. See Rules for an explanation of each Action.

   4. Click Finish to return to the policy's components page.

7. Under the Subjects menu, click New.

   You can also click the name of a Subject that has already been defined. The Subject attributes are the same whether you are defining them now or modifying definitions made in Creating Policies and Referrals. You can also select a defined Subject and delete it.

8. Select a Subject Type and click Next.

   This value can not be changed once Subjects has been created. The options are:

   • Authenticated Users implies that any user with a valid SSOToken is a member.

   • OpenSSO Identity Subject implies that the identities defined under the Subjects tab of a particular realm can be added as a member.

   • Web Services Clients implies that a WSC identified by a valid SSOToken is a member IF the Distinguished Name (DN) of any principal contained in the SSOToken matches any value of this subject.

   For more information, see Subjects.

9. Enter a Name for the Subject.

10. Select whether the Subject is Exclusive.

    If this field is not selected (default), the policy applies to the identity that is a member of the subject. If the field is selected, the policy applies to the identity that is not a member of the subject. If multiple subjects exist in the policy, the policy applies to the identity when at least one of the subjects implies that the policy applies to the identity.

11. If applicable to the selected Subject Type, choose entries to add for the subject.

    1. Perform a search to display qualified entries.

       The default (*) search pattern will display all qualified entries. Select the individual identities you wish to add for the subject, or click Add All to add all of the identities at once. Click Add to move the identities to the Selected list.

    2. Select an individual entry and click Add to move it to the Selected list.

       Alternately, click Add All to add all of the entries at once.

12. Click Finish to return to the policy's components page.

13. Under the Conditions menu, click New.

    You can also click the name of a Condition that has already been defined. The Conditions attributes are the same whether you are defining them now or modifying definitions made in Creating Policies and Referrals. You can also select a defined Condition and delete it.

14. Select a Condition Type and click Next.

15. Enter values for the Condition Type's listed attributes.

    For more information, see Conditions.

16. Click Finish to return to the policy's components page.

17. Under the Response Provider menu, click New.

    You can also click the name of a Response Provider that has already been defined. The Response Provider attributes are the same whether you are defining them now or modifying definitions made in Creating Policies and Referrals. You can also select a defined Response Provider and delete it.

18. Enter a Name for the Response Provider.

19. Define the following values:

    Static Attribute

    These are static attributes defined in an instance of IDResponseProvider stored in the policy. The value takes the format attribute=value.

    Dynamic Attribute

    The response attributes chosen here need to first be defined in the Selected Dynamic Response Attributes field of the Policy Configuration Service for the corresponding realm. The attribute names defined should be a subset of those existing in the identity repository. To select specific or multiple attributes, hold the Control key and click the left mouse button. For details, see Policy Configuration in Sun OpenSSO Enterprise 8.0 Administration Reference.

20. Click Finish.

21. Click Save to update the policy.

Modifying Referrals

You can modify the components of a referral that has already been created. To Modify a Referral describes the procedure to change or delete a referral.

To Modify a Referral

Before You Begin

This procedure assumes:

• You are logged into the OpenSSO Enterprise console as the administrator.

• You have already created the referral. See Creating Policies and Referrals.

• You did not previously define the referral's components. See Creating Policies and Referrals.

1. Under the Access Control tab, click the name of the realm in which the policy you are modifying was created.

2. Click the Policies tab.

3. Click the name of the referral you are modifying.

   The referral's component page is displayed.

4. Under the Rules menu, click New to display the New Rule page and modify as follows.

   You can click the name of a Rule that has already been defined. The Rules attributes are the same whether you are defining them now or modifying definitions made in Creating Policies and Referrals. You can also select a defined Rule and delete it.

   1. Select the appropriate Service Type and click Next.

      This value can not be changed once the Rule has been created. The options are:

      • Discovery Service (with resource name) defines the authorization actions for Discovery Service query and modify protocol invocations by web services clients.

      • Liberty Personal Profile Service (with resource name) defines the authorization actions for Liberty Personal Profile Service query and modify protocol invocations by web services clients.

      • URL Policy Agent (with resource name) defines authorization actions for the URL Policy Agent service. This is used to define policies that protect HTTP and HTTPS URLs. This is the most common use case.

      You may see a larger list if more services are enabled for policy. (See Enabling Policy in a Service.) For more information, see Rules.

   2. Add a Name for the Rule.

   3. Add a URL as the value for Resource Name and click Finish to return to the referral's components page.

      Currently, policy agents only support http:// and https:// resources thus the value should be a URL. IP addresses are not supported. Wildcards are supported for protocol, host, port and resource name. For example:

      http*://*:*/*.html

      For the URL Policy Agent service type, the default port number is 80 for http:// and 443 for https:// if no port number is defined. In this example, o=example.com is the sub realm that manages access to http://www.example.com and its sub-resources.

5. Under the Referrals menu, click New.

   You can click the name of a Referral that has already been defined. The Referrals attributes are the same whether you are defining them now or modifying definitions made in Creating Policies and Referrals. You can also select a defined Referral and delete it.

6. Enter a Name for the Referral.

7. Specify a filter and click Search.

   This action defines the realm names that will be displayed in the Value field. By default, it will display all realm names.

8. Select the realm to which you are referring policy administration from the drop down list.

9. Click Finish to return to the referral's components page.

10. Click Save to update the referral.