> Integrating ALES with Application Environments > Securing ALES Components

Integrating ALES with Application Environments

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Securing ALES Components

AquaLogic Enterprise Security is itself secured using the same policy model used to secure any other application. This chapter explains the default policies controlling administrative access to ALES.

Information is provided in the following sections.

 

Using the Administration Console

Many of the tasks described in the document are performed using the ALES Administration Console. For more information about using the Administration Console, see Using the Administration Console in the Administration and Deployment Guide and also consult the ALES Administration Console online help system.

 

Default Database Objects

Installing ALES provides a number of database objects that collectively define access to ALES components. This provides rudimentary security at startup; you can use the Administration Console to more completely define administrative access.

The default database objects are listed below and are more fully described in sections that follow.

Table 2-1 Default Database Objects Defining Access to ALES
Object Type
Description
Resource
A representation of ALES components is defined in a separate tree under a root resource named ASI. Policies can be assigned to a resource representing an ALES component and thereby define access to that component. For more information, see ALES Resources.
Identity
A number of users, groups, and roles that reflect usage of ALES are provided. In particular, a user named system is set up as having complete administrative rights to the database. For more information, see ALES Identities.
Role Mapping Policies
A number of role mapping policies are provided that assign some of the default roles to users/groups. For more information, see Default Role Mapping Policies.
Authorization Policies
A number of authorization policies are provided that assign privileges to roles/groups/users on specific resources in the ASI resource tree. For more information, see Default Authorization Policies.

 

Creating a New Admin User

By default, ALES provides a single administrative user identity named system having complete administrative rights. In a production environment, you should remove this administrative user and replace it with one or more other user identities. This section describes how to create a new administrative user named myadmin, replacing the system user:

  1. In the ALES Administration Console, navigate to Identities > Users. Add a new user named myadmin.
  2. Add the myadmin user to the Admin role.
  3. Set a password for myadmin by selecting myadmin and clicking Edit > Set password.
  4. Remove the system user from the Admin role.
  5. Distribute policy
  6. Stop the Administration Server.
  7. Edit BEA_HOME/ales25-admin/config/WLESWebLogic.conf so that under "Java Additional Parameters" this line reads:
    8. wrapper.java.additional.15=-Dwles.user.alias=myadmin

    instead of 

    wrapper.java.additional.15=-Dwles.user.alias=system
  8. Set the password for the myadmin user, using the asipassword utility. Execute:
    9. BEA_HOME/ales25-admin/bin/asipassword.bat myadmin ../ssl/password.xml ../ssl/password.key

    and supply the password for myadmin.

  9. Restart the ALES Administration Server with WLESWebLogic.bat console. You can now log in as myadmin with the password you set.

 

ALES Resources

ALES components are represented under the ASI resource tree, as shown in the figure below.

Figure 2-1 Representation of ALES Components

Representation of ALES Components

Administrative Operations

Table 2-2 describes resource objects that define the administrative operations that are performed using the Administration Console. By default, these resources are contained within //app/policy/ASI/admin.

Table 2-2 Resources Defining Administrative Operations
Resource Name
Protects operations on...
admin/Declaration/Attribute
attribute declarations
admin/Declaration/Constant
constant declarations
admin/Declaration/Enumeration
enumeration declarations
admin/Declaration/EvaluationFunction
evaluation function declarations
admin/Identity/Directory/Instance
identity directory instances
admin/Identity/Directory/AttributeMapping/Single
what scalar attributes may be assigned to users within a directory
admin/Identity/Directory/AttributeMapping/List
what vector attributes may be assigned to users within a directory
admin/Identity/Subject/User
users
admin/Identity/Subject/Group
groups
admin/Identity/Subject/Password
user passwords
admin/Identity/Subject/AttributeAssignment/Single
scalar subject attribute values
admin/Identity/Subject/AttributeAssignment/List
vector subject attribute values
admin/Resource/Instance
resources
admin/Resource/AttributeAssignment/Single
scalar resource attribute values
admin/Resource/AttributeAssignment/List
vector resource attribute values
admin/Resource/MetaData/LogicalName
setting the "logical name" resource metadata
admin/Resource/MetaData/IsApplication
setting the "is application" resource metadata
admin/Resource/MetaData/IsDistributionPoint
setting the "is distribution point" metadata
admin/Policy/Grant
grant policies
admin/Policy/Deny
deny policies
admin/Policy/Delegate
delegate policies
admin/Policy/Action/Role/Instance
roles (when used as actions)
admin/Policy/Action/Privilege/Instance
privileges
admin/Policy/Action/Privilege/Group
privilege groups
admin/Policy/Analysis/InquiryQuery
policy inquiries
admin/Policy/Analysis/VerificationQuery
policy verification
admin/Infrastructure/Engines/ARME
definitions of the ASI Authorizer, which is also called ARME
admin/Infrastructure/Engines/SCM
definitions of the Service Control Manager (SCM)
admin/Infrastructure/Management/BulkManager
the policy loader
admin/Policy/Repository
the policy repository

Privileges

Table 2-3 lists and describes the default privileges that may be assigned.

Table 2-3 Privileges 
Privilege
Explanation
create
Create a policy element, including identities (identity directories, users, groups, attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
view
View the contents of a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, privileges and privilege groups.
delete
Delete a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
cascadeDelete
Delete an element and its sub-elements (no permission check is made on sub-elements), including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
rename
Rename a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
modify
Modify the contents of a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
listAll
Filter lists of instances based on a pattern specification.
addMember
Add a member to a group.
removeMember
Remove a member from a group.
execute
Execute a policy analysis query.
deployUpdate
Deploy a policy update.
deployStructuralChange
Deploy a structural change.
bind
Bind a resource to an ASI Authorization and ASI Role Mapping provider.
unbind
Unbind a resource from an ASI Authorization and ASI Role Mapping provider.
login
Log on to the Administration Application, including the Administration Console, and the Policy Import and Export tools.
copy
Copy a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.

Context Attributes

Context attributes can be used to provide fine-grained protection of policy operations. For example, when creating a privilege, the name of the privilege can be supplied as an attribute and used to control access to a single unique privilege.

Table 2-4 describes the default context attributes.

Table 2-4 Context Attributes 
Attribute Name
Data Type
Description
declaration
string
Name of a declaration.
data_type
string
The name of a data type, for example, a string, integer, date.
attribute_usage_type
Enumeration (resource_attribute, subject_attribute, dynamic_attribute)
Specifies the type of policy element with which an attribute declaration is associated.
new_name
string
Generic attribute used when renaming elements.
new_attribute_usage_type
Enumeration (resource_attribute, subject_attribute, dynamic_attribute)
The new value for this item used to modify operations.
value
string
Generic attribute used to represent the value of an element.
values
list of strings
Generic attribute used to represent the value of an element as a list.
directory
string
The name of a directory.
attribute
string
The name of an attribute.
default_value
string
The default value of an attribute.
default_values
list of strings
The default value of a list attribute.
new_default_value
string
Used in modification operations to represent the new default value of an attribute value.
new_default_values
list of strings
Used in modification operations to represent the new default value of a list attribute.
subject_name
string
The name of a subject.
subjects
list of strings
A list of subjects.
groups
list of strings
The group membership of the subject.
subject_type
Enumeration (user_subject, group_subject, role_subject)
The type of subject.
member_subject_type
Enumeration (user_subject, group_subject, role_subject)
The type of the subject group member.
member_subject
string
Name of subject group member.
action
string
Name of the action.
action_type
Enumeration (privilege_action, role_action)
Type of the action.
resource
string
The name of the resource.
resources
list of strings
A list of resources.
constraint
string
The constraint of a policy; this is the portion between the `if' and `;' exclusive.
new_action
string
Name of new action in a modified policy.
new_action_type
string
New action type in a modified policy.
new_resource
string
New resource in a modified policy.
new_subject_name
string
New subject name.
new_constraint
string
New constraint in a modified policy.
delegator
string
The name of the delegator in a policy.
new_delegator
string
New delegator in a modified policy.
actions
list of strings
A set of actions.
action_groups
list of strings
A list of privilege group names.
action_group
string
The name of a privilege group.
parent_resource
string
The parent of the resource.
meta_data
string
The name of the metadata item.
logical_name
string
The logical name of a resource.
deleted_directories
list of strings
A list of deleted directories.
deleted_engines
list of strings
A list of deleted engines.1
deployed_engines
list of strings
A list of deployed engines.
deleted_bindings
list of strings
A list of deleted engine binding node pairs.
deleted_applications
list of strings
A list of deleted applications.
engine
string
The name of an ARME or SCM cluster.
engine_bindings
list of strings
A list of bindable resources bound to the ARME or SCM.
owner
string
The owner of analysis query.
effect_type
Enumeration (grant_effect, deny_effect, delegate_effect)
The type of role mapping and authorization policy effect.
title
string
The title of a analysis query.

1The term engine refers to an ASI Authorization provider and ASI Role Mapper provider that are configured to operate in conjunction with one another, also referred to as the ARME. This combination of providers are configured to manage your authorization and role mapping policies.

Evaluation Functions

The evaluation functions listed in Table 2-5 are provided for writing custom administration policies. They may be used in the constraint portion of policies to limit the applicability of the policy based on contextual information.

Table 2-5 Evaluation Functions
Function Name
Description
resource_is_child(c,p,[d])
Check if c a child of p. d is a Boolean standing for direct. By default, d is true, meaning check if c is directly a child of p. If false, then c may be a descendant of p at any depth.
subject_in_directory(s,d)
Check if subject s is in directory d. This does not guarantee that either s or d exists, only that based on the name one would be in the other.
subject_is_group(s) subject_is_user(s) subject_is_role(s)
Check if the subject of a user group or role.
action_is_privilege(a) action_is_role(a)
Check if the action is a privilege or role

Authorization Queries

Table 2-6 describes when contextual data is used to define administrative access. This data that may be referenced when writing policies to protect the administration console.

Table 2-6 Context Attributes and Administrative Access 
Admin Resource
Privilege
Context attributes
Description
Declaration/Attribute
create
declaration
Queried when user attempts to create a new attribute declaration.
delete
declaration
Queried when user attempts to delete an attribute declaration.
rename
declaration, new_name
Queried when user attempts to rename an attribute declaration.
modify
declaration
Queried when user attempts to modify an attribute declaration.
Declaration/
Constant
create
declaration, value
Queried when user attempts to create a new constant.
delete
declaration, value
Queried when user attempts to delete a constant.
rename
declaration, value, new_name
Queried when user attempts to rename a constant.
modify
declaration, value, new_value
Queried when user attempts to modify a constant.
Declaration/ Enumeration
create
declaration, value
Queried when user attempts to create a new enumeration.
delete
declaration, value
Queried when user attempts to delete an enumeration.
rename
declaration, value, new_name
Queried when user attempts to rename an enumeration.
modify
declaration, value, new_value
Queried when user attempts to modify an enumeration.
Declaration/Evaluation Function
create
declaration
Queried when user attempts to create an evaluation function.
delete
declaration
Queried when user attempts to delete an evaluation function.
rename
declaration, new_name
Queried when user attempts to rename an evaluation function.
Identity/Directory/Instance
create
directory
Queried when user attempts to create a directory.
delete
directory
Queried when user attempts to delete a directory.
cascade Delete
directory
Queried when user attempts to delete a directory and all its users.
rename
directory, new_name
Queried when user attempts to rename a directory.
Identity/Directory/ AttributeMapping/Single
create
attribute, default_value, directory
Queried when user attempts to add a scalar attribute to an attribute schema of a directory.
delete
attribute, default_value, directory
Queried when user attempts to delete a scalar attribute from an attribute schema of a directory.
modify
attribute, default_value, directory, new_default_value
Queried when user attempts to modify a scalar attribute in an attribute schema for a directory.
Identity/Directory/ AttributeMapping/List
create
attribute, default_value, directory
Queried when user attempts to add a vector attribute to an attribute schema of a directory.
delete
attribute, default_value directory
Queried when user attempts to delete a vector attribute from an attribute schema of a directory.
modify
attribute, default_value, directory, new_default_value
Queried when user attempts to modify a vector attribute in an attribute schema of a directory.
Identity/Subject/User
create
subject_name
Queried when user attempts to create a new user.
copy
subject_name, new_subject_name
Queried when user attempts to copy a user.
delete
subject_name
Queried when user attempts to delete a user.
cascade Delete
subject_name
Queried when user attempts to cascade a user and all policies associated with the user.
rename
subject_name, new_subject_name
Queried when user attempts to rename a user.
Identity/Subject/Group
create
subject_name
Queried when user attempts to create a new group.
delete
subject_name
Queried when user attempts to delete a group.
rename
subject_name, new_subject_name
Queried when user attempts to rename a group.
addMember
subject_name, member_subject
Queried when user attempts to add a member to a group.
remove Member
subject_name, member_subject
Queried when user attempts to remove a member from a group.
Identity/Subject/ AttributeAssignment/Single
create
attribute, value, subject_name
Queried when user attempts to set a value to a currently unset scalar subject attribute.
delete
attribute, value, subject_name
Queried when user attempts to unset a currently set scalar subject attribute.
modify
attribute, value, subject_name, new_value
Queried when user attempts to modify the value of a currently set scalar subject attribute.
Identity/Subject/ AttributeAssignment/List
create
attribute, value, subject_name
Queried when user attempts to set a value to a currently unset vector subject attribute.
delete
attribute, value, subject_name
Queried when user attempts to unset a currently set vector subject attribute.
modify
attribute, value, subject_name, new_value
Queried when user attempts to modify the value of a currently set vector subject attribute.
Identity/Subject/
Password
modify
subject_name
Queried when user attempts to modify the password for a user. The subject_name attribute contains the name of the user for which the password is associated.
Resource/Instance
create
resource, resource_type
Queried when user attempts to create a new resource.
delete
resource
Queried when user attempts to delete a resource.
cascade Delete
resource
Queried when user attempts to cascade delete a resource. This includes deletion of all child resources and associated policies.
rename
resource, new_name
Queried when user attempts to rename a resource.
Resource/Attribute
Assignment/Single
create
attribute, resource, value
Queried when user attempts to set a value to a currently unset scalar resource attribute.
delete
attribute, resource, value
Queried when user attempts to unset a currently set scalar resource attribute.
modify
attribute, resource, value, new_value
Queried when user attempts to modify the value of a currently set scalar resource attribute.
Resource/Attribute
Assignment/List
create
attribute, resource, value
Queried when user attempts to set a value to a currently unset vector resource attribute.
delete
attribute, resource, value
Queried when user attempts to unset a currently set vector resource attribute.
modify
attribute, resource, value, new_value
Queried when user attempts to modify the value of a currently set vector resource attribute.
Resource/MetaData/
IsApplication
modify
resource, value, new_value
Queried when user attempts to toggle the "is application" resource metadata.
Resource/MetaData/
IsDistributionPoint
modify
resource, value, new_value
Queried when user attempts to toggle the "is distribution point" resource metadata.
Resource/MetaData/
Logical Name
create
logical_name, resource
Queried when user attempts to create a logical name for a resource.
delete
logical_name, resource
Queried when user attempts to delete a logical name for a resource.
rename
logical_name, resource, new_name
Queried when user attempts to rename a logical name for a resource.
Policy/Grant
create
action, resource, subject_name, constraint
Queried when user attempts to create a new grant policy. "action", "resource", and "subject_name" attributes are lists.
delete
action, resource, subject_name, constraint
Queried when user attempts to delete a grant policy. The "action", "resource", and "subject_name" attributes are lists.
modify
action, resource, subject_name, constraint, new_action, new_resource, new_subject_name, new_constraint
Queried when user attempts to modify a grant policies "action", "resource", and "subject_name" attributes are lists.
Policy/Deny
create
action, resource, subject_name, constraint
Queried when user attempts to create a new deny policy. "action", "resource", and "subject_name" attributes are lists.
delete
action, resource, subject_name, constraint
Queried when user attempts to delete a deny policy. The "action", "resource", and "subject_name" attributes are lists.
modify
action, action_type, resource, subject_name, subject_type, constraint, new_effect, new_action, new_action_type, new_resource, new_subject_name, new_subject_type, new_constraint
Queried when user attempts to modify a deny policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Delegate
create
action, resource, subject_name, delegator, constraint
Queried when user attempts to create a new delegate policy. "action", "resource", and "subject_name" attributes are lists.
delete
action, resource, subject_name, delegator, constraint
Queried when user attempts to delete a delegate policy. The "action", "resource", and "subject_name" attributes are lists.
modify
action, resource, subject_name, delegator, constraint, new_action, new_resource, new_subject_name, new_delegator, new_constraint
Queried when user attempts to modify a delegate policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Action/Role/
Instance
create
action
Queried when user attempts to create a new role.
delete
action
Queried when user attempts to delete a role.
rename
action, new_name
Queried when user attempts to rename a role.
Policy/Action/
Privilege/Instance
create
action
Queried when user attempts to create a privilege.
delete
action
Queried when user attempts to delete a privilege.
rename
action, new_name
Queried when user attempts to rename a privilege.
Policy/Action/
Privilege/Group
create
action_group
Queried when user attempts to create a privilege group.
delete
action_group
Queried when user attempts to delete a privilege group.
rename
action_group, new_name
Queried when user attempts to rename a privilege group.
addMember
action_group, action
Queried when user attempts to add a privilege to a privilege group.
remove Member
action_group, action
Queried when user attempts to remove a privilege from a privilege group.
Policy/Analysis/
Inquiry Query
create
title, owner, effect_type, subjects, actions, resources, delegator
Queried when user attempts to create a new policy query.
delete
title, owner
Queried when user attempts to delete a policy query.
modify
title, owner, effect_type, subjects, actions, resources, delegator
Queried when user attempts to modify a policy query.
execute
title, owner, effect_type, subjects, actions, resources, delegator
Queried when user attempts to execute a policy query. If this is an unsaved query "title" and "owner" will be set to an empty string.
Policy/Analysis/
Verification Query
create
title, owner, actions, resources
Queried when user attempts to create a new policy verification query.
delete
title, owner
Queried when user attempts to delete a policy verification query.
modify
title, owner, actions, resources
Queried when user attempts to modify a policy verification query.
execute
title, owner, actions, resources
Queried when user attempts to execute a policy verification query. If this is an unsaved query "title" and "owner" will be set to an empty string.
Policy/Repository
deploy Update
resource, directory
Queried when user attempts to deploy a policy update.
"resource" is the distribution node and all nodes below it may be effected. This check is made for each chosen distribution point.
deploy Structural Change
deleted_directories, deployed_engines, deleted_engines, deleted_bindings, deleted_applications
Queried when user attempts to deploy a structural change.
Infrastructure/Engines/ARME
create
engine
Queried when user attempts to create a new Security Service Module.
delete
engine
Queried when user attempts to delete a Security Service Module.
rename
engine, new_name
Queried when user attempts to rename a Security Service Module.
bind
engine, resource
Queried when user attempts to bind a resource to a Security Service Module.
unbind
engine, resource
Queried when user attempts to unbind a resource from a Security Service Module.
Infrastructure/Engines/SCM
create
engine
Queried when user attempts to create a Service Control Manager.
delete
engine
Queried when user attempts to delete a Service Control Manager.
rename
engine, new_name
Queried when user attempts to rename a Service Control Manager.
bind
engine, resource
Queried when user attempts to bind a Security Service Module to a Service Control Manager. The "resource" contains the name of the Security Service Module.
unbind
engine, resource
Queried when user attempts to unbind a Security Service Module from a Service Control Manager. The "resource" contains the name of the Security Service Module.
Infrastructure/ Management/Console
login
 
Queried when user attempts to login to the Administration Console.
Infrastructure/ Management/BulkManager
login
 
Queried when user attempts to login to the Policy Import tool.

Enumerated Types

Table 2-7 lists the name of each enumerated type used in controlling administrative access.

Table 2-7 Enumerated Types
Name
Values
Description
attribute_usage_type_enum
(resource_attribute, subject_attribute, dynamic_attribute)
Specifies the valid usage for attributes.
subject_type_enum
(user_subject, group_subject, role_subject)
Specifies the valid subject types.
action_type_enum
(privilege_action, role_action)
Specifies the valid action types.
resource_type_enum
(organizational_node, binding_node, resource_node)
Specifies the valid resource types.
effect_type_enum
(grant_effect, deny_effect, delegate_effect)
Specifies the valid role mapping and authorization effect types.

 

ALES Identities

Table 2-8 shows the default ALES roles, users, and groups and some of their administrative rights as determined by existing policies.

Table 2-8 Default ALES Role Privileges and Identities 
Role
Privileges / Resources
User/ Groups
Admin
Has all privileges, including creating and managing resources, identities, configurations, starting/stopping ALES servers, etc.
System (User)
Deployer
Privileges include modifying SCM/SSM configurations, deploying configuration and policy data, and running policy inquiries.
None
Operator
Privileges include managing SCM/SSM configurations, starting /stopping Administration Server, and running policy inquiries.
None
Monitor
This role effectively provides read-only access to the Administration Console. Privileges include monitoring Administration Console activities and viewing SCM/SSM configurations.
None
Everyone
Change password, access the Console login page, access unprotected resources and operations
Allusers(Group)
Anonymous
No privileges. Does not allow access to ASI resources. This role is automatically assigned to all unauthenticated users.
Anonymous(User)
Allusers(Group)

 

Default Role Mapping Policies

The default role mapping policies are described in Table 2-9 below. There are two ways they can be viewed in the Administration Console:

Of particular note, one of the role mapping policies assigns the Admin role to the user named System. This is the only administrative user provided when ALES is installed.

Table 2-9 Default Role Mapping Policies
Policy
Description
grant(//role/Everyone, //app/policy/ASI, //sgrp/asi/allusers/) if true;
Assigns Everyone role to allusers (group).
grant(//role/Admin, //app/policy/ASI, //user/asi/system/) if true;
Assigns Admin role to system (user).
grant(//role/Anonymous, //app/policy/ASI, //user/asi/anonymous/);
Assigns Anonymous role to anonymous (user)

 

Default Authorization Policies

A number of authorization policies are provided that define access to ALES components. Some of the more important default authorization policies are described in Table 2-10 below.

Table 2-10 Default Authorization Policies 
Default Policy
Description
grant(//priv/delete, //app/policy/ASI/admin, //role/Admin) if true;
Allows Admin role to delete policies.
grant(//priv/cascadeDelete, //app/policy/ASI/admin, //role/Admin) if true;
Allows Admin role to perform cascadeDelete on children of ASI/admin.
grant(//priv/rename, //app/policy/ASI/admin,
//role/Admin) if true;
Allows Admin role to rename children of ASI/admin.
grant(//priv/deployStructuralChange, //app/policy/ASI/admin/Policy/Repository, //role/Admin) if true;
Allows Admin role to deploy structural changes.
grant(//priv/login, //app/policy/ASI/admin/Infrastructure/
Management/BulkManager, //role/Admin) if true;
Allows Admin role to use the policy loader tool.
grant(//priv/copy, //app/policy/ASI/admin/Identity/
Subject/User, //role/Admin) if true;
Allows Admin role to copy users.
grant([//priv/bind,//priv/unbind], //app/policy/ASI/admin/Infrastructure/Engines, //role/Admin) if true;
Allows Admin role to bind/unbind resources, and configure authorization and role mapping provider combinations and SCMs.
grant(//priv/deployUpdate, //app/policy/ASI/admin/Policy/Repository, [//role/Admin,//role/Deployer]) if true;
Allows Admin and Deployer roles to deploy policy updates.
grant(//priv/modify, //app/policy/ASI/admin, [//role/Admin,//role/Deployer]) if true;
Allows Admin and Deployer roles to children of ASI/admin (resources, identities, policies, etc.)
grant(//priv/view, //app/policy/ASI/admin, [//role/Admin,//role/Monitor,//role/Operator,//role/Deployer]) if true;
Allows Admin, Monitor, Operator, and Deployer roles to view children of ASI/admin.
grant(//priv/listAll, //app/policy/ASI/admin, [//role/Admin,//role/Monitor,//role/Operator,//role/Deployer]) if true;
Allows Admin, Monitor, Operator, and Deployer roles to perform the listAll on children of ASI/admin.
grant(//priv/modify, //app/policy/ASI/admin/Identity/Subject/
Password, //role/Everyone) if subject_name = sys_user_q;
Allows Everyone to modify their own password.
grant(//priv/create, [//app/policy/ASI/admin/Declaration,
//app/policy/ASI/admin/Identity,
//app/policy/ASI/admin/Infrastructure,
//app/policy/ASI/admin/Resource], //role/Admin) if true;
grant(//priv/create, [//app/policy/ASI/admin/Policy/Action,
//app/policy/ASI/admin/Policy/Analysis, //app/policy/ASI/admin/Policy/Rule/Delegate,
//app/policy/ASI/admin/Policy/Rule/Grant], //role/Admin) if true;
Allows Admin role to create policies.
grant([//priv/create,//priv/modify,
//priv/view], //app/policy/ASI/admin/Policy/Analysis,
[//role/Admin,//role/Monitor,
//role/Operator,//role/Deployer]) if owner = sys_user_q;
Allows Admin, Monitor, Operator and Deployer roles to query ALES policies they own.
grant(//priv/execute, //app/policy/ASI/admin/Policy/Analysis, [//role/Admin,//role/Monitor,//role/Operator,//role/Deployer])
if owner = sys_user_q or owner = "";
Allows Admin, Monitor, Operator and Deployer roles to query both policies they own and policies with no owner.
grant([//priv/addMember,//priv/
removeMember], //app/policy/ASI/admin, [//role/Deployer]) if true;
Allows Deployer role to add and remove members to subject and privilege groups.

 

Viewing Authorization Policies

There several ways to view authorization policies in the Administration Console:

Figure 2-2 below shows the results of an authorization policies query on the Admin role.

Figure 2-2 Authorization Policy Inquiry Results Dialog

Authorization Policy Inquiry Results Dialog


  Back to Top       Previous  Next