This chapter describes how to use policies and rules to control access to AquaLogic Ensemble resources. It is divided into the following sections:
About Policies and Rules provides an overview of how policies and rules control access to an Ensemble resource.
Policies describes policies in depth, including how to create policies and configure policy sets.
Rules describes rules in depth, including what kinds of rules can be created and how to create them.
About Policies and Rules
Each non-login resource has an associated policy set. A policy set is a collection of policies that control access to a resource. Each policy grants access to a resource based on two criteria:
Users and Groups. A user must be among the users or groups configured in the policy.
Rules. A set of rules, one or all of which must evaluate to true for the user to have access.
For details on creating and configuring policies, see Policies.
Rules describe a set of criteria that must be met. If the criteria are met, the rule evaluates to true. For example, a rule could restrict access to business hours or evaulate to true when the user's client is a specific browser. For details on creating and configuring rules, see Rules.
In addition to controlling access to a resource, policies associate a role with the user. Role information is sent to the proxied application, allowing the application to determine the correct access level for the user. Since more than one policy can be granted for a given user on a given resource, more than one role can be associated with a user. Roles are created with the resource configuration. For details on configuring roles, see Roles.
Policies
When you create a resource, Ensemble creates a default policy for that resource. Policy sets map to resources 1:1. The name of the policy set is the same as the name of the resource and cannot be changed.
When Ensemble creates the policy, it creates a default policy for that policy. The default policy grants the Administrator user access to the resource. You can edit or delete this policy, and you can add new policies.
Creating a New Policy
To create a new policy:
Launch the Ensemble Console.
Click the POLICIES tab.
Click the Policy Sets sub-tab.
Click the name of the policy set associated with the resource you are configuring.
On the Policies page, click Add policy.
Configuring a Policy
A policy consists of four properties:
A name.
The resource role the policy maps to. Roles are configured in the resource configuration. For details, see Roles.
One or more rules that describe the conditions for access.
Zero or more users or groups that are allowed access by this policy.
At minimum, a policy must have a name, a mapped resource role, and an associated rule.
To configure a policy:
Launch the Ensemble Console.
Click the POLICIES tab.
Click the Policy Sets sub-tab.
Click the name of the policy set associated with the resource you are configuring.
On the Policies page, expand the policy you want to configure by clicking the icon.
Type a Name for the policy.
Associate a role with the policy. In the Maps to Resource Role drop-down list, select a role.
Associate one or more rules with the policy:
Click Add Rule.
Select the rule or rules you want to add.
Click Add selected items.
Click OK.
Select ANY or ALL. When ANY is selected, and one or more rule evaluates to true, the policy will evaluate to true (provided any users and groups restrictions are satisfied). When ALL is selected, all rules must evaluate to true.
Restrict the policy to specific users or groups (optional).
Click Add User or Group.
Select the users or groups you want to add.
Click Add selected items.
Click OK.
To delete users, groups, or rules, highlight the item to be deleted and click Delete.
Authentication Levels
Authentication levels determine the minimum credential level required to access a resource. Ensemble checks the authentication level of a policy set before it evaluates any policies. If the user is not logged in, or is logged in with credentials lower than the set authentication level, he is challenged with the authentication method.
Anonymous access allows user to access a resource without providing credentials. This is useful for resources such as login resources, where the user is not expected to be authenticated prior to accessing the resource.
To configure anonymous access:
Launch the Ensemble Console.
Click the POLICIES tab.
Click the Policy Sets sub-tab.
Click the name of the policy set associated with the resource you want to configure for anonymous access.
Set the authentication level to Anonymous. In the Minimum Credential Level drop-down, select 0 (Anonymous).
When prompted, create an anonymous policy. Select a resource role from the drop-down and click Create anonymous policy.
Click Save.
A new policy, Anonymous policy, is created. This policy always evaluates to true for any user.
Rules
Rules are defined by one or more rule types. A rule type is a single condition that evaluates to true or false. The rule is configured so that either any or all of the rule types must evaluate to true for the rule to evaluate to true. The following table describes the available rule types:
Table 7-1 Rule Types
Rule Type
Description
Client IP
Evaluates to true if this value matches the user's IP. You can configure the Client IP rule to match a range of IP addresses by using regular expressions.
Date
You can set the Date rule to be equal to, greater than, less than, greater than or equal to, or less than or equal to a given date.
You can combine two Date rule types to provide access over a range of dates.
User
Evaluates to true if this value is the current user.
Secure connection
Evaulates to true of the connection is secure (HTTPS).
Time
You can set the Time rule to be equal to, greater than, less than, greater than or equal to, or less than or equal to a given time.
You can combine two Time rule types to provide access over a period of time.
Browser
Evaluates to true if this value matches the user's browser type.
Group membership
Evaluates to true if this value is a group of which the user is a member.
Non-secure connection
Evaulates to true of the connection is not secure (HTTP).
Day of Week
Evaulates to true if this value is equal to the current day of the week.
Locale
Evaluates to true if this value matches the user's locale.
User property
Evaluates to true if this value matches the user's property value.
Always true
Always evaluates to true.
Always false
Always evaluates to false.
Creating and Editing Rules
You create rules in the rule library. To create a new rule:
Launch the Ensemble Console.
Click the POLICIES tab.
Click the Rule Library sub-tab.
To create a new rule, click Create new.
On the General page, in the Name box, type the name of the rule.
Type a Description of the rule.
On the Definition page, click Add.
Either select the rule type to create or click on an existing rule.
Existing rules can be added as rule types. This allows compound rules to be formed. For example, a rule might evaluate to true if any of three users is accessing the resource from a secure connection. A rule type is created that evaluates to true for any of the three uses. That rule type is added to a rule type where it and the Secure connection rule type must evaluate to true.
Add the rule type by clicking OK.
Click Add to add another rule type or finish creating the rule by clicking Save.
Published Rules
You can configure a rule to be published or not published. You are able to add a published rule to a policy. You are able use an unpublished rule only as as a rule type for other rules.
To publish a rule, from the rule's General page, select Is published. To unpublish the rule, clear the check box next to Is published.
Note:
If the rule is currently being used in a policy, it cannot be unpublished.
icon.
