![]() ![]() ![]() ![]() ![]() ![]() ![]() |
ALES allows you to set up application-level administrators who are responsible for managing the security for a specific application. The application-level administrator will be able to manage the policies protecting resources belonging to that application, but no others. This chapter describes some basic steps for establishing an application-level security administrators and provisioning them with an initial framework for protecting applications. This section provides information on the following topics:
Although the design of the administrative model will vary by use, it is presumed that the task of defining policies to secure an application will be assigned to application-level administrator who has complete rights only for the specific application.
The basic procedure described here for setting up application-level administrators is to create a parent application resource that will contain a representation of the application in the resource tree, create administrator user accounts and groups as needed, and then use policies that will allow the administrators to manage the application's security.
To represent an application in ALES, create a binding application resource to serve as the application parent. Then give the application security administrator the right to build resources under this parent.
To create a binding application resource for an application:
User accounts are needed for the application security administrators. If you want, you may create application-specific directories containing users and groups for the application.
Note: | An implicit group named allusers is automatically added to all directories. |
To create a separate directory for an application's users and groups:
To add a user or group to a directory:
Once the application parent is defined in the resource tree and the necessary identities have been created, you can use policies to determine administrative access to the application. Here are two examples:
Note: | A comprehensive understanding of this process can be obtained by examining the policies already in place for ALES components. |
grant(//role/Admin, //app/policy/ASI/admin/Resource, //user/asi/Joe/) if resource_is_child(resource, //app/policy/Petstore, no);
grant(//role/Admin, //app/policy/ASI/admin, //user/asi/Bob/) if sys_defined(resource) and resource_is_child(resource, //app/policy/Petstore, no);
![]() ![]() ![]() |