Integrating ALES with Application Environments

Securing ALES Components

ALES is itself secured using the same policy model used to secure any other application. This chapter explains the default policies controlling administrative access to ALES and how to use the Administration Console to customize these defaults to local needs.

Information is provided in the following sections.

• Overview
• ALES Resources
• ALES Identities
• Default Role Mapping Policies
• Default Authorization Policies
• Viewing Authorization Policies

 

---

Overview

Installing ALES provides a number of database objects that collectively define access to ALES components. This provides rudimentary security at startup and you may use the Administration Console to more completely define administrative access.

The default database objects are listed below and are more fully described in sections that follow.

Table 2-1 Default Database Objects Defining Access to ALES

Object Type	Description
Resource	A representation of ALES components is defined in a separate tree under a root resource named ASI. Policies can be assigned to a resource representing an ALES component and thereby define access to that component.
Identity	A number of users, groups, and roles that reflect usage of ALES are provided. In particular, a user named system is set up as having complete administrative rights to the database.
Role Mapping Policies	A number of role mapping policies are provided that assign some of the default roles to users/groups.
Authorization Policies	A number of authorization policies are provided that assign privileges to roles/groups/users on specific resources in the ASI resource tree.

 

 

 

---

ALES Resources

ALES components are represented under the ASI resource tree, as shown in the figure below.

Figure 2-1 Representation of ALES Components

 

 

Administrative Operations

Table 2-2 describes resource objects that define the administrative operations that are performed using the Administration Console. By default, these resources are contained within //app/policy/ASI/admin.

Table 2-2 Resources Defining Administrative Operations

Resource Name	Description
admin/Declaration/Attribute	Used to protect operations on attribute declarations.
admin/Declaration/Constant	Used to protect operations on constant declarations.
admin/Declaration/Enumeration	Used to protect operations on enumeration declarations.
admin/Declaration/EvaluationFunction	Used to protect operations on evaluation function declarations.
admin/Identity/Directory/Instance	Used to protect operations on identity directory instances.
admin/Identity/Directory/AttributeMapping/Single	Used to protect operations on what scalar attributes may be assigned to users within a directory.
admin/Identity/Directory/AttributeMapping/List	Used to protect operations on what vector attributes may be assigned to users within a directory.
admin/Identity/Subject/User	Used to protect operations on users.
admin/Identity/Subject/Group	Used to protect operations on groups.
admin/Identity/Subject/Password	Used to protect operations on user passwords.
admin/Identity/Subject/AttributeAssignment/Single	Used to protect operations on scalar subject attribute values.
admin/Identity/Subject/AttributeAssignment/List	Used to protect operations on vector subject attribute values.
admin/Resource/Instance	Used to protect operations on resources.
admin/Resource/AttributeAssignment/Single	Used to protect operations on scalar resource attribute values.
admin/Resource/AttributeAssignment/List	Used to protect operations on vector resource attribute values.
admin/Resource/MetaData/LogicalName	Used to protect operations on setting the "logical name" resource metadata.
admin/Resource/MetaData/IsApplication	Used to protect operations on setting the "is application" resource metadata.
admin/Resource/MetaData/IsDistributionPoint	Used to protect operations on setting the "is distribution point" metadata.
admin/Policy/Grant	Used to protect operations on grant policies.
admin/Policy/Deny	Used to protect operations on deny policies.
admin/Policy/Delegate	Used to protect operations on delegate policies.
admin/Policy/Action/Role/Instance	Used to protect operations on roles (when used as actions).
admin/Policy/Action/Privilege/Instance	Used to protect operations on privileges.
admin/Policy/Action/Privilege/Group	Used to protect operations on privilege groups.
admin/Policy/Analysis/InquiryQuery	Used to protect operations on policy inquiries.
admin/Policy/Analysis/VerificationQuery	Used to protect operations on policy verification.
admin/Infrastructure/Engines/ARME	Used to protect operations on definitions of the Authorization and Role Mapping Engine (ARME).
admin/Infrastructure/Engines/SCM	Used to protect operations on definitions of the Service Control Manager (SCM).
admin/Infrastructure/Management/BulkManager	Used to protect operations on the policy loader.
admin/Policy/Repository	Used to protect operations on the policy repository.

 

Privileges

Table 2-3 lists and describes the default privileges that may be assigned.

Table 2-3 Privileges 

Privilege	Explanation
create	Create a policy element, including identities, directories, users, groups, attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
view	View the contents of a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, privileges and privilege groups.
delete	Delete a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
cascadeDelete	Delete an element and its sub-elements (no permission check is made on sub-elements), including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
rename	Rename a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
modify	Modify the contents of a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
listAll	Filter lists of instances based on a pattern specification.
addMember	Add a member to a group.
removeMember	Remove a member from a group.
execute	Execute a policy analysis query.
deployUpdate	Deploy a policy update.
deployStructuralChange	Deploy a structural change.
bind	Bind a resource to an ASI Authorization and ASI Role Mapping provider.
unbind	Unbind a resource from an ASI Authorization and ASI Role Mapping provider.
login	Log on to the Administration Application, including the Administration Console, and the Policy Import and Export tools.
copy	Copy a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.

 

Context Attributes

Context attributes can be used to provide fine-grained protection of policy operations. For example, when creating a privilege, the name of the privilege can be supplied as an attribute and used to control access to a single unique privilege.

Table 2-4 describes the default context attributes.

Table 2-4 Context Attributes 

Attribute Name	Data Type	Description
declaration	string	Name of a declaration.
data_type	string	The name of a data type, for example, a string, integer, date.
attribute_usage_type	Enumeration (resource_attribute, subject_attribute, dynamic_attribute)	Specifies the type of policy element with which an attribute declaration is associated.
new_name	string	Generic attribute used when renaming elements.
new_attribute_usage_type	Enumeration (resource_attribute, subject_attribute, dynamic_attribute)	The new value for this item used to modify operations.
value	string	Generic attribute used to represent the value of an element.
values	list of strings	Generic attribute used to represent the value of an element as a list.
directory	string	The name of a directory.
attribute	string	The name of an attribute.
default_value	string	The default value of an attribute.
default_values	list of strings	The default value of a list attribute.
new_default_value	string	Used in modification operations to represent the new default value of an attribute value.
new_default_values	list of strings	Used in modification operations to represent the new default value of a list attribute.
subject_name	string	The name of a subject.
subjects	list of strings	A list of subjects.
groups	list of strings	The group membership of the subject.
subject_type	Enumeration (user_subject, group_subject, role_subject)	The type of subject.
member_subject_type	Enumeration (user_subject, group_subject, role_subject)	The type of the subject group member.
member_subject	string	Name of subject group member.
action	string	Name of the action.
action_type	Enumeration (privilege_action, role_action)	Type of the action.
resource	string	The name of the resource.
resources	list of strings	A list of resources.
constraint	string	The constraint of a policy; this is the portion between the `if' and `;' exclusive.
new_action	string	Name of new action in a modified policy.
new_action_type	string	New action type in a modified policy.
new_resource	string	New resource in a modified policy.
new_subject_name	string	New subject name.
new_constraint	string	New constraint in a modified policy.
delegator	string	The name of the delegator in a policy.
new_delegator	string	New delegator in a modified policy.
actions	list of strings	A set of actions.
action_groups	list of strings	A list of privilege group names.
action_group	string	The name of a privilege group.
parent_resource	string	The parent of the resource.
meta_data	string	The name of the metadata item.
logical_name	string	The logical name of a resource.
deleted_directories	list of strings	A list of deleted directories.
deleted_engines	list of strings	A list of deleted engines.1
deployed_engines	list of strings	A list of deployed engines.
deleted_bindings	list of strings	A list of deleted engine binding node pairs.
deleted_applications	list of strings	A list of deleted applications.
engine	string	The name of an ARME or SCM cluster.
engine_bindings	list of strings	A list of bindable resources bound to the ARME or SCM.
owner	string	The owner of analysis query.
effect_type	Enumeration (grant_effect, deny_effect, delegate_effect)	The type of role mapping and authorization policy effect.
title	string	The title of a analysis query.

1. The term engine refers to an ASI Authorization provider and ASI Role Mapper provider that are configured to operate in conjunction with one another, also referred to as the ARME. This combination of providers are configured to manage your authorization and role mapping policies.

 

Evaluation Functions

The evaluation functions listed in Table 2-5 are provided for writing custom administration policies. They may be used in the constraint portion of policies to limit the applicability of the policy based on contextual information.

Table 2-5 Evaluation Functions

Function Name	Description
resource_is_child(c,p,[d])	Check if c a child of p. d is a Boolean standing for direct. By default, d is true, meaning check if c is directly a child of p. If false, then c may be a descendant of p at any depth.
subject_in_directory(s,d)	Check if subject s is in directory d. This does not guarantee that either s or d exists, only that based on the name one would be in the other.
subject_is_group(s) subject_is_user(s) subject_is_role(s)	Check if the subject of a user group or role.
action_is_privilege(a) action_is_role(a)	Check if the action is a privilege or role

 

Authorization Queries

Table 2-6 describes when contextual data is used to define administrative access. This data that may be referenced when writing policies to protect the administration console.

Table 2-6 Context Attributes and Administrative Access 

Admin Resource	Privilege	Context attributes	Description
Declaration/Attribute	create	declaration	Queried when user attempts to create a new attribute declaration.
	delete	declaration	Queried when user attempts to delete an attribute declaration.
	rename	declaration, new_name	Queried when user attempts to rename an attribute declaration.
	modify	declaration	Queried when user attempts to modify an attribute declaration.
Declaration/ Constant	create	declaration, value	Queried when user attempts to create a new constant.
	delete	declaration, value	Queried when user attempts to delete a constant.
	rename	declaration, value, new_name	Queried when user attempts to rename a constant.
	modify	declaration, value, new_value	Queried when user attempts to modify a constant.
Declaration/ Enumeration	create	declaration, value	Queried when user attempts to create a new enumeration.
	delete	declaration, value	Queried when user attempts to delete an enumeration.
	rename	declaration, value, new_name	Queried when user attempts to rename an enumeration.
	modify	declaration, value, new_value	Queried when user attempts to modify an enumeration.
Declaration/Evaluation Function	create	declaration	Queried when user attempts to create an evaluation function.
	delete	declaration	Queried when user attempts to delete an evaluation function.
	rename	declaration, new_name	Queried when user attempts to rename an evaluation function.
Identity/Directory/Instance	create	directory	Queried when user attempts to create a directory.
	delete	directory	Queried when user attempts to delete a directory.
	cascade Delete	directory	Queried when user attempts to delete a directory and all its users.
	rename	directory, new_name	Queried when user attempts to rename a directory.
Identity/Directory/ AttributeMapping/Single	create	attribute, default_value, directory	Queried when user attempts to add a scalar attribute to an attribute schema of a directory.
	delete	attribute, default_value, directory	Queried when user attempts to delete a scalar attribute from an attribute schema of a directory.
	modify	attribute, default_value, directory, new_default_value	Queried when user attempts to modify a scalar attribute in an attribute schema for a directory.
Identity/Directory/ AttributeMapping/List	create	attribute, default_value, directory	Queried when user attempts to add a vector attribute to an attribute schema of a directory.
	delete	attribute, default_value directory	Queried when user attempts to delete a vector attribute from an attribute schema of a directory.
	modify	attribute, default_value, directory, new_default_value	Queried when user attempts to modify a vector attribute in an attribute schema of a directory.
Identity/Subject/User	create	subject_name	Queried when user attempts to create a new user.
	copy	subject_name, new_subject_name	Queried when user attempts to copy a user.
	delete	subject_name	Queried when user attempts to delete a user.
	cascade Delete	subject_name	Queried when user attempts to cascade a user and all policies associated with the user.
	rename	subject_name, new_subject_name	Queried when user attempts to rename a user.
Identity/Subject/Group	create	subject_name	Queried when user attempts to create a new group.
	delete	subject_name	Queried when user attempts to delete a group.
	rename	subject_name, new_subject_name	Queried when user attempts to rename a group.
	addMember	subject_name, member_subject	Queried when user attempts to add a member to a group.
	remove Member	subject_name, member_subject	Queried when user attempts to remove a member from a group.
Identity/Subject/ AttributeAssignment/Single	create	attribute, value, subject_name	Queried when user attempts to set a value to a currently unset scalar subject attribute.
	delete	attribute, value, subject_name	Queried when user attempts to unset a currently set scalar subject attribute.
	modify	attribute, value, subject_name, new_value	Queried when user attempts to modify the value of a currently set scalar subject attribute.
Identity/Subject/ AttributeAssignment/List	create	attribute, value, subject_name	Queried when user attempts to set a value to a currently unset vector subject attribute.
	delete	attribute, value, subject_name	Queried when user attempts to unset a currently set vector subject attribute.
	modify	attribute, value, subject_name, new_value	Queried when user attempts to modify the value of a currently set vector subject attribute.
Identity/Subject/ Password	modify	subject_name	Queried when user attempts to modify the password for a user. The subject_name attribute contains the name of the user for which the password is associated.
Resource/Instance	create	resource, resource_type	Queried when user attempts to create a new resource.
	delete	resource	Queried when user attempts to delete a resource.
	cascade Delete	resource	Queried when user attempts to cascade delete a resource. This includes deletion of all child resources and associated policies.
	rename	resource, new_name	Queried when user attempts to rename a resource.
Resource/Attribute Assignment/Single	create	attribute, resource, value	Queried when user attempts to set a value to a currently unset scalar resource attribute.
	delete	attribute, resource, value	Queried when user attempts to unset a currently set scalar resource attribute.
	modify	attribute, resource, value, new_value	Queried when user attempts to modify the value of a currently set scalar resource attribute.
Resource/Attribute Assignment/List	create	attribute, resource, value	Queried when user attempts to set a value to a currently unset vector resource attribute.
	delete	attribute, resource, value	Queried when user attempts to unset a currently set vector resource attribute.
	modify	attribute, resource, value, new_value	Queried when user attempts to modify the value of a currently set vector resource attribute.
Resource/MetaData/ IsApplication	modify	resource, value, new_value	Queried when user attempts to toggle the "is application" resource metadata.
Resource/MetaData/ IsDistributionPoint	modify	resource, value, new_value	Queried when user attempts to toggle the "is distribution point" resource metadata.
Resource/MetaData/ Logical Name	create	logical_name, resource	Queried when user attempts to create a logical name for a resource.
	delete	logical_name, resource	Queried when user attempts to delete a logical name for a resource.
	rename	logical_name, resource, new_name	Queried when user attempts to rename a logical name for a resource.
Policy/Grant	create	action, resource, subject_name, constraint	Queried when user attempts to create a new grant policy. "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, constraint	Queried when user attempts to delete a grant policy. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, resource, subject_name, constraint, new_action, new_resource, new_subject_name, new_constraint	Queried when user attempts to modify a grant policies "action", "resource", and "subject_name" attributes are lists.
Policy/Deny	create	action, resource, subject_name, constraint	Queried when user attempts to create a new deny policy. "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, constraint	Queried when user attempts to delete a deny policy. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, action_type, resource, subject_name, subject_type, constraint, new_effect, new_action, new_action_type, new_resource, new_subject_name, new_subject_type, new_constraint	Queried when user attempts to modify a deny policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Delegate	create	action, resource, subject_name, delegator, constraint	Queried when user attempts to create a new delegate policy. "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, delegator, constraint	Queried when user attempts to delete a delegate policy. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, resource, subject_name, delegator, constraint, new_action, new_resource, new_subject_name, new_delegator, new_constraint	Queried when user attempts to modify a delegate policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Action/Role/ Instance	create	action	Queried when user attempts to create a new role.
	delete	action	Queried when user attempts to delete a role.
	rename	action, new_name	Queried when user attempts to rename a role.
Policy/Action/ Privilege/Instance	create	action	Queried when user attempts to create a privilege.
	delete	action	Queried when user attempts to delete a privilege.
	rename	action, new_name	Queried when user attempts to rename a privilege.
Policy/Action/ Privilege/Group	create	action_group	Queried when user attempts to create a privilege group.
	delete	action_group	Queried when user attempts to delete a privilege group.
	rename	action_group, new_name	Queried when user attempts to rename a privilege group.
	addMember	action_group, action	Queried when user attempts to add a privilege to a privilege group.
	remove Member	action_group, action	Queried when user attempts to remove a privilege from a privilege group.
Policy/Analysis/ Inquiry Query	create	title, owner, effect_type, subjects, actions, resources, delegator	Queried when user attempts to create a new policy query.
	delete	title, owner	Queried when user attempts to delete a policy query.
	modify	title, owner, effect_type, subjects, actions, resources, delegator	Queried when user attempts to modify a policy query.
	execute	title, owner, effect_type, subjects, actions, resources, delegator	Queried when user attempts to execute a policy query. If this is an unsaved query "title" and "owner" will be set to an empty string.
Policy/Analysis/ Verification Query	create	title, owner, actions, resources	Queried when user attempts to create a new policy verification query.
	delete	title, owner	Queried when user attempts to delete a policy verification query.
	modify	title, owner, actions, resources	Queried when user attempts to modify a policy verification query.
	execute	title, owner, actions, resources	Queried when user attempts to execute a policy verification query. If this is an unsaved query "title" and "owner" will be set to an empty string.
Policy/Repository	deploy Update	resource, directory	Queried when user attempts to deploy a policy update. "resource" is the distribution node and all nodes below it may be effected. This check is made for each chosen distribution point.
	deploy Structural Change	deleted_directories, deployed_engines, deleted_engines, deleted_bindings, deleted_applications	Queried when user attempts to deploy a structural change.
Infrastructure/Engines/ARME	create	engine	Queried when user attempts to create a new Security Service Module.
	delete	engine	Queried when user attempts to delete a Security Service Module.
	rename	engine, new_name	Queried when user attempts to rename a Security Service Module.
	bind	engine, resource	Queried when user attempts to bind a resource to a Security Service Module.
	unbind	engine, resource	Queried when user attempts to unbind a resource from a Security Service Module.
Infrastructure/Engines/SCM	create	engine	Queried when user attempts to create a Service Control Manager.
	delete	engine	Queried when user attempts to delete a Service Control Manager.
	rename	engine, new_name	Queried when user attempts to rename a Service Control Manager.
	bind	engine, resource	Queried when user attempts to bind a Security Service Module to a Service Control Manager. The "resource" contains the name of the Security Service Module.
	unbind	engine, resource	Queried when user attempts to unbind a Security Service Module from a Service Control Manager. The "resource" contains the name of the Security Service Module.
Infrastructure/ Management/Console	login		Queried when user attempts to login to the Administration Console.
Infrastructure/ Management/BulkManager	login		Queried when user attempts to login to the Policy Import tool.

 

Enumerated Types

Table 2-7 lists the name of each enumerated type used in controlling administrative access.

Table 2-7 Enumerated Types

Name	Values	Description
attribute_usage_type_enum	(resource_attribute, subject_attribute, dynamic_attribute)	Specifies the valid usage for attributes.
subject_type_enum	(user_subject, group_subject, role_subject)	Specifies the valid subject types.
action_type_enum	(privilege_action, role_action)	Specifies the valid action types.
resource_type_enum	(organizational_node, binding_node, resource_node)	Specifies the valid resource types.
effect_type_enum	(grant_effect, deny_effect, delegate_effect)	Specifies the valid role mapping and authorization effect types.

 

---

ALES Identities

The table below shows the default ALES roles, users, and groups and some of their administrative rights as determined by existing policies.

Table 2-8 Default ALES Role Privileges and Identities 

Role	Privileges / Resources	User/ Groups
Admin	Has all privileges, including creating and managing resources, identities, configurations, starting/stopping ALES servers, etc.	System (User)
Deployer	Privileges include modifying SCM/SSM configurations, deploying configuration and policy data, and running policy inquiries.	None
Operator	Privileges include managing SCM/SSM configurations, starting /stopping Administration Server, and running policy inquiries.	None
Monitor	This role effectively provides read-only access to the Administration Console. Privileges include monitoring Administration Console activities and viewing SCM/SSM configurations.	None
Everyone	Change password, access the Console login page, access unprotected resources and operations	Allusers(Group)
Anonymous	No privileges. Does not allow access to ASI resources. This role is automatically assigned to all unauthenticated users.	Anonymous(User) Allusers(Group)

 

 

---

Default Role Mapping Policies

The default role mapping policies are described in Table 2-9 below. There are two ways they can be viewed in the Administration Console:

• To see role mapping policies assigned to a specific ALES resource, navigate to and select the resource in the ASI resource tree. Then click Role Mapping Policy Inquiry in the lower right page.
• To see role mapping policies assigned to a specific ALES role, expand the Identity node and select the Role node. Then select the role in the right page and click Role Mapping Policy Inquiry.
• To see all role mapping policies, expand the Policy node in the navigation tree and select Role Mapping Policies.

Of particular note, one of the role mapping policies assigns the Admin role to the user named System. This is the only administrative user provided when ALES is installed.

Table 2-9 Default Role Mapping Policies

Policy	Description
grant(//role/Everyone, //app/policy/ASI, //sgrp/asi/allusers/) if true;	Assigns Everyone role to allusers (group).
grant(//role/Admin, //app/policy/ASI, //user/asi/system/) if true;	Assigns Admin role to system (user).
grant(//role/Anonymous, //app/policy/ASI, //user/asi/anonymous/);	Assigns Anonymous role to anonymous (user)

 

 

 

---

Default Authorization Policies

A number of authorization policies are provided that define access to ALES components. Some of the more important default authorization policies are described in Table 2-10 below.

Table 2-10 Default Authorization Policies 

Default Policy	Description
grant(//priv/delete, //app/policy/ASI/admin, //role/Admin) if true;	Allows Admin role to delete policies.
grant(//priv/cascadeDelete, //app/policy/ASI/admin, //role/Admin) if true;	Allows Admin role to perform cascadeDelete on children of ASI/admin.
grant(//priv/rename, //app/policy/ASI/admin, //role/Admin) if true;	Allows Admin role to rename children of ASI/admin.
grant(//priv/deployStructuralChange, //app/policy/ASI/admin/Policy/Repository, //role/Admin) if true;	Allows Admin role to deploy structural changes.
grant(//priv/login, //app/policy/ASI/admin/Infrastructure/ Management/BulkManager, //role/Admin) if true;	Allows Admin role to use the policy loader tool.
grant(//priv/copy, //app/policy/ASI/admin/Identity/ Subject/User, //role/Admin) if true;	Allows Admin role to copy users.
grant([//priv/bind,//priv/unbind], //app/policy/ASI/admin/Infrastructure/Engines, //role/Admin) if true;	Allows Admin role to bind/unbind resources, and configure authorization and role mapping provider combinations and SCMs.
grant(//priv/deployUpdate, //app/policy/ASI/admin/Policy/Repository, [//role/Admin,//role/Deployer]) if true;	Allows Admin and Deployer roles to deploy policy updates.
grant(//priv/modify, //app/policy/ASI/admin, [//role/Admin,//role/Deployer]) if true;	Allows Admin and Deployer roles to children of ASI/admin (resources, identities, policies, etc.)
grant(//priv/view, //app/policy/ASI/admin, [//role/Admin,//role/Monitor,//role/Operator,//role/Deployer]) if true;	Allows Admin, Monitor, Operator, and Deployer roles to view children of ASI/admin.
grant(//priv/listAll, //app/policy/ASI/admin, [//role/Admin,//role/Monitor,//role/Operator,//role/Deployer]) if true;	Allows Admin, Monitor, Operator, and Deployer roles to perform the listAll on children of ASI/admin.
grant(//priv/modify, //app/policy/ASI/admin/Identity/Subject/ Password, //role/Everyone) if subject_name = sys_user_q;	Allows Everyone to modify their own password.
grant(//priv/create, [//app/policy/ASI/admin/Declaration, //app/policy/ASI/admin/Identity, //app/policy/ASI/admin/Infrastructure, //app/policy/ASI/admin/Resource], //role/Admin) if true; grant(//priv/create, [//app/policy/ASI/admin/Policy/Action, //app/policy/ASI/admin/Policy/Analysis, //app/policy/ASI/admin/Policy/Rule/Delegate, //app/policy/ASI/admin/Policy/Rule/Grant], //role/Admin) if true;	Allows Admin role to create policies.
grant([//priv/create,//priv/modify, //priv/view], //app/policy/ASI/admin/Policy/Analysis, [//role/Admin,//role/Monitor, //role/Operator,//role/Deployer]) if owner = sys_user_q;	Allows Admin, Monitor, Operator and Deployer roles to query ALES policies they own.
grant(//priv/execute, //app/policy/ASI/admin/Policy/Analysis, [//role/Admin,//role/Monitor,//role/Operator,//role/Deployer]) if owner = sys_user_q or owner = "";	Allows Admin, Monitor, Operator and Deployer roles to query both policies they own and policies with no owner.
grant([//priv/addMember,//priv/ removeMember], //app/policy/ASI/admin, [//role/Deployer]) if true;	Allows Deployer role to add and remove members to subject and privilege groups.

 

 

---

Viewing Authorization Policies

There several ways to view authorization policies in the Administration Console:

• To see authorization policies set on a specific ALES resource, navigate to and select the resource in the ASI resource tree. Then click Authorization Policy Inquiry in the lower right page.
• To see authorization policies set on a specific ALES role, expand the Identity node and select the Role node. Then click Authorization Policy Inquiry in the lower right page.
• To see all authorization policies, expand the Policy node and select Authorization Policies.

Figure 2-2 below shows the results of an authorization policies query on the Admin role.

 

Figure 2-2 Authorization Policy Inquiry Results Dialog