Sun ONE logo     Previous     Contents     Index     Next     
Sun ONE Identity Server Administration Guide



Chapter 6   Policy Management


This chapter describes the policy service management features of Sun ONE Identity Server. Policy management provides a way to view, manage and configure all Identity Server policies.

This chapter contains the following sections:



What is a Policy?

Every business has a need to protect its resources. This is done by configuring and managing rules that define who can do what to which resource. The Identity Server Policy Service enables an organization to set up these rules or policies.

A policy defines permissions that allow an administrator to assign security levels based on an organization's needs and the conditions created within the policy. This policy, when possessed by an object, defines which resources within an organization that the object is able to access. A single policy can define either binary or non-binary decisions. A binary decision is yes/no, true/false or allow/deny; most policies are of this type. A non-binary decision represents the value of an attribute. For example, a mail service might include a mailboxQuota attribute with a maximum storage value set for each user. A policy service administers this restriction ensuring that each user's quota is not exceeded. In general, a policy is configured to define what an object can do to which resource and under what conditions.

Identity Server ships with one policy service, the URL Policy Agent, and one sample mail service. For more information on the sample mail service and writing new policy schema, see the Sun One Identity Server Programmer's Guide.



Policy Types


There are two types of policy that can be configured using Identity Server: a normal policy or a referral policy. A normal policy consists of rules, subjects and conditions. A referral policy consists of rules and referrals to organizations.


Normal Policy

In Identity Server, a policy that defines access permissions is referred to as a normal policy. A normal policy consists of rules, subjects and conditions.

A rule consists of a resource, and one or more sets of an action and a value. A resource defines the object that is being protected; an action is the name of an operation that can be performed on the resource and a value defines the permission.


Note

It is acceptable to define an action without resources.


Policies are not assigned to identities. Instead, subjects are assigned to policies. A subject is the identity object to which the policy is assigned and applied.

A condition defines the situations in which a policy is applicable. For example, a 7 am to 10 am condition in a policy means that the policy is applicable only from 7 am to 10 am.


Note

The terms referral, rule, resource, subject, condition, action and value correspond to the elements Referral, Rule, ResourceName, Subject, Condition, Attribute and Value in the policy.dtd. They are explained further in the Sun One Identity Server Programmer's Guide.



Referral Policy

An administrator might typically need to delegate one organization's policy definitions and decisions to another organization. (Alternately, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of one or more rules and one or more referrals. A rule defines the resource whose policy evaluation is being referred. The referral defines the organization to which the policy evaluation is being referred.


Note

The referred-to organization can define or evaluate policies only for those resources (or their sub-resources) that have been referred to it. This restriction, however, does not apply to the root organization. Therefore, an administrator must define management policies at the root level organization only.


There are two types of referrals bundled with Identity Server: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively. See "Creating Policies for Peer and Suborganizations" for more information.



Policy Management


You can create, delete, and modify policies through the Policy API, through the amadmin command line tool, and through the Identity Server console.

This chapter focuses on creating policies through the console.For more information on amadmin, see The amadmin Command Line Tool. For more information on the Policy API, see the "Policy Service" chapter in the Sun One Identity Server Programmer's Guide.

Policies are configured using the Identity Management interface. This interface provides a means for:

  • The Top-Level Administrator to view, create, delete and modify policies for a specific service that can be used across all organizations.

  • An organization or suborganization administrator to view, create, delete and modify policies for specific use by the organization.

In general, policy is created at the organization (or suborganization) level to be used throughout the organization's tree.

Figure 6-1   Policy View
Identity Server Console: Policy view allows you to create, modify and delete normal and referral policies.


Registering Policy Configuration Services

Registering a policy configuration service is the same as registering any type of service; it is done within the Identity Management interface. By default, the Policy Configuration service is automatically registered to the top-level organization. Any policy service you create must be registered to all organizations. To register a policy configuration service:

  1. Navigate to the Identity Management interface.

    When the console opens, the default interface is Identity Management.

  2. Choose the organization for which you would like to create policy.

    If logged in as the Top-Level Administrator, make sure that the location of the Identity Management module is the top-level organization where all configured organizations are visible. The default top-level organization is defined during installation.

  3. Choose Services from the View menu.

    If the organization already has registered services, they will be displayed in the navigation pane.

  4. Click Register in the navigation pane.

    A listing of services not yet registered to this organization is displayed in the data pane.

  5. From the Register Services window, opened in the Data pane, choose Policy Configuration and click register.

    The Policy Configuration Service is added to the list of services in the Navigation pane.

  6. Configure the policy service by clicking the Properties arrow. If the policy template has not yet been configured, you will need to create a service template for the newly registered policy service.

    To configure the policy service, click Create. Modify the Policy Configuration attributes. See "Policy Configuration Attributes" for a description of these attributes. Click Save.

    The policy configuration service is now registered to the chosen organization.


    Note suborganizations must register their policy services independently of their parent organization. In other words, the suborganization o=suborg,dc=sun,dc=com will not inherit the policy configuration service from its parent dc=sun,dc=com.



Creating Policies

Policies are created through the Identity Management interface. To create a policy:

  1. Navigate to the Identity Management interface.

  2. Choose the organization for which you would like to create a policy.

    Ensure that the location of the Policy Management window is correct for your organization.

  3. Choose Policies from the View menu.

    By default, the Organizations view is visible in the View menu. All suborganizations configured, if any, will be visible below it. If creating policies for a suborganization, choose the suborganization and then choose Policies from the View menu.

  4. Click New in the navigation pane. The New Policy window opens.

  5. Select the type of policy, normal or referral, that you wish to create.

    If a referral policy that refers to a suborganization does not exist, you will not be able to create any polices for suborganizations. For more information, see "Creating Policies for Peer and Suborganizations".

    It is not necessary to define all of the fields for normal or referral policies at this time. You may create the policy, then add rules, subjects, referrals, and so forth, later. For information on configuring normal and referral policies, see "Modifying Policies".

  6. Type a name for the policy and click Next.

    The new policy rule window opens under the policy name created.

  7. By default, the General view is displayed.

    The General view displays the name of the policy and allows you to enter a description of the policy that is to be created.

  8. Click Create to complete the policy's configuration.


Modifying Policies

Once a normal or referral policy is created, you can modify the rules, subjects, conditions and referrals.

  1. From the Identity Management interface, select Policies from the View menu.

    The policies that were created for that organization are displayed.

  2. Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data pane.

    By default, the General view is displayed.


Modify a Normal Policy

Through the Identity Management interface, you can create a policy that defines access permissions. Such a policy is referred to as a normal policy. A normal policy can consist of multiple rules, subjects, and conditions. This section lists and defines the default fields that you can specify when creating a normal policy.


Adding Rules
Rules define the resource, actions and action values of the policy. To add rules to a normal policy:

  1. From the Identity Management interface, select Policies from the View.

    The policies that were created for that organization are displayed.

  2. Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data pane.

    By default, the General view is displayed.

  3. To define rules for the policy, select Rules from the View menu and click Add.

    If more than one policy service exists, they will be listed in the Navigation pane. Choose the policy service for which you wish to create a policy and click Next. The Add Rule window is displayed.

  4. Define the resource, actions and action values in the Rules fields.

    The fields are:

    Service

    Displays the policy service for the policy to be created.

    Name

    This field allows you to enter the name of the rule.

    Resource Name

    This field allows you to enter the name of a resource. For example:

    http://www.sunone.com

    Currently, the only resources that can be enforced are http:// and https:// addresses.

    You must enter a full domain name. Wildcards and IP addresses are not allowed.

    For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.

    Select Actions

    For the URL Policy Agent Service, you can select either or both of the following default actions:

    • GET

    • POST

    Select Action Values

    For the URL Policy Agent Service, you can choose one of the following action values:

    • allow lets you access the resource matching the resource defined in the rule.

    • deny denies access to the resource matching the resource defined in the rule.


    Note

    If the policy service is defined so that an action does not need resource definitions, the resource field will not be displayed. If the service contains both types of actions (some requiring resources, some without resources), an option is displayed to select rules with actions requiring no resources, or rules with actions requiring resources.


  5. Click Create to save the rule.

  6. Repeat steps 1 - 5 to create additional rules.

  7. All of the rules created for that policy are displayed in the table in the Rules view. Click Save to add the rules to the policy.

    To remove a rule from a policy, select the rule and click Remove.

    You can edit any rule definition by clicking on the Edit link next to the rule name.


Adding Subjects
Subjects define the subject to which the policy will apply. To add subjects to a policy:

  1. To define the subject for the policy, select Subject from the View menu and click Add.

  2. Select one of the default subject identities:

    • Identity Server Roles

    • LDAP Groups

    • LDAP Roles

    • LDAP Users

    • Organization

    Click Next to continue.

  3. Enter a name for the subject. Click Add.

  4. Perform a search in order to display the identities to add to the subject.

    The default (*) search pattern will display the qualified entries.

  5. Select the identities that you wish to add for the subject and click Create.

  6. All of the subjects created for that policy are displayed in the table in the Subjects view. Select the subjects that you wish to add to the policy and click Save.

    To remove a subject from a policy, select the subject and click Remove.

    You can edit any subject definition by clicking on the Edit link next to the rule name.


Adding Conditions
Conditions allows you to define constraints on the policy. For example, if you are defining policy for a paycheck application, you can define a condition on this action limiting access to the application only during specific hours. Additionally, you may wish to define a condition that only grants this action if the request originates from a given set of IP addresses or from a company intranet. To add conditions to a normal policy:

  1. To define conditions for the policy, select Conditions from the View menu. Click Add to add a new condition, or click the Edit link to edit an existing condition.

  2. Select one of the following default conditions:

    • Authentication Level

    • Authentication Scheme

    • IP Address

    • Time

    Click Next.

  3. Define the values for a given condition in the Rules fields. The fields are:

    Authentication Level

    name

    This field allows you to enter the name of the condition.

    authentication level

    The authentication level value indicates how much to trust authentications.

    Authentication Scheme

    name

    This field allows you to enter the name of the condition.

    authentication scheme

    This field allows you to choose from the pull-down menu the authentication scheme for the condition.

    IP Address

    name

    This field allows you to enter the name of the condition.

    IP Address To/From

    This field allows you to specify the range of the IP address

    DNS Name

    This field allows you to specify the DNS name.

    Time

    name

    This field allows you to enter the name of the condition.

    Date To/From

    This field allows you to specify the range of the date.

    Time

    This field allows you to specify the range of time within a day.

    Day

    This field allows you to specify a range of days.

    Timezone

    This field allows you specify a timezone, either standard or custom.

  4. Once you have defined the condition, click Create.

  5. All of the conditions created for that policy are displayed in the table in the Conditions view. Select the conditions that you wish to add to the policy and click Save.

    To remove a condition from a policy, select the condition and click Remove.

    You can edit any condition definition by clicking on the Edit link next to the rule name.


Modify a Referral Policy

Through the Identity Management interface you can delegate an organization's policy definitions and decisions to another organization. (You can also delegate policy decisions for a resource to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of a rule and the referral itself. If the policy service contains actions that do not require resources, referral policies cannot be created for suborganizations.


Adding Rules
Rules define the resource of the policy. To add rules to a referral policy:

  1. To define rules for the policy, select Rules from the View menu. Click Add to add a new rule, or click the Edit link to edit an existing rule.

  2. Define the resource in the Rules fields. The fields are:

    Service

    Displays the policy service for the policy to be created.

    Name

    This field allows you to enter the name of the rule.

    Resource Name

    This field allows you to enter the name of a resource. For example:

    http://www.sun.com

    Currently, the only resources that can be enforced are http:// and https:// addresses.

    You must enter a full domain name. Wildcards and IP addresses are not allowed.

    For the Policy URL Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.

  3. Click Create to save the rule.

  4. Repeat steps 1 - 3 to create additional rules.

  5. All of the rules created for that policy are displayed in the table in the Rules view. Select the rules that you wish to add to the policy and click Save.

    To remove a rule from a policy, select the rule and click Remove.

    You can edit any rule definition by clicking on the Edit link next to the rule name.


Adding Referrals
The referral defines the organization to which the policy evaluation is being referred. By default, there are two types of referrals: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively.

To add a referral:

  1. To define referrals for the policy, select Referrals from the View menu. Click Add to add a new referral, or click the Edit link to edit an existing referral.

  2. Define the resource in the Rules fields. The fields are:

    referral

    Displays the current referral.

    Name

    This field allows you to enter the name of the referral.

  3. Click Create to save the referral.

    To remove a referral from a policy, select the referral and click Remove.

    You can edit any referral definition by clicking on the Edit link next to the rule name.


Creating Policies for Peer and Suborganizations

In order to create policies for peer or suborganizations, you must first create a referral policy in the parent (or another peer) organization. The referral policy must contain, in its rule definition, the resource prefix that is being managed by the suborganization. Once the referral policy is created in the parent organization (or another peer organization), normal policies can be created at the suborganization (or peer organization).

The Identity Server policy framework does not allow the creation of referral policies if the action name does not contain resource names. In other words, if the action does not include any resource names, policies can only be created under the root organization, not under the suborganization.

In this example, o=isp is the parent organization, o=sun.com is the suborganization and manages resources and sub-resources of http://www.sun.com. To create a policy for this suborganization, follow these steps:

  1. Create a referral policy at o=isp. For information on referral policies, see the procedure "Modify a Referral Policy".

    The referral policy must define http://www.sun.com as the resource in the rule, and must contain a SubOrgReferral with sun.com as the value in the referral.

  2. Go to the Organization view and navigate to the suborganization sun.com.

  3. Ensure that the policy configuration service is registered at the suborganization level, sun.com. For information, see "Registering Policy Configuration Services".

  4. Now that the resource is referred to sun.com by isp, normal policies can be created for the resource http://www.sun.com, or for any resource starting with http://www.sun.com.

    See the procedure "Modify a Normal Policy" for information on creating normal policies.

    To define policies for other resources managed by sun.com, additional referral policies must be created at isp.


Previous     Contents     Index     Next     
Copyright 2002   Sun Microsystems, Inc. All rights reserved.

Last Updated December 04, 2002