Setting Up Application Security Administrators

ALES allows you to set up application-level administrators who are responsible for managing the security for a specific application. The application-level administrator will be able to manage the policies protecting resources belonging to that application, but no others. This chapter describes some basic steps for establishing an application-level security administrators and provisioning them with an initial framework for protecting applications. This section provides information on the following topics:

Overview

Although the design of the administrative model will vary by use, it is presumed that the task of defining policies to secure an application will be assigned to application-level administrator who has complete rights only for the specific application.

The basic procedure described here for setting up application-level administrators is to create a parent application resource that will contain a representation of the application in the resource tree, create administrator user accounts and groups as needed, and then use policies that will allow the administrators to manage the application's security.

Establishing a Resource Parent for the Application

To represent an application in ALES, create a binding application resource to serve as the application parent. Then give the application security administrator the right to build resources under this parent.

Select the Resource node in the navigation tree to display the current resource tree in the right panel of the Administration Console.
Right-click the top parent resource that will contain the application and select Add Resource.
Enter a resource name and select Binding in the Type field. Then click OK.
Right-click the new resource and select Configure Resource.
Select Binding Application in the Type field and click OK.

Create Administrative Users

User accounts are needed for the application security administrators. If you want, you may create application-specific directories containing users and groups for the application.

Identity Directories

Select the Identity node in the navigation tree to display the current directories in the right panel of the Administration Console. After ALES is installed, there is one directory named ASI.
Click New in the lower right page.
On the Create Directory dialog, enter the directory name and click OK.

Users and Groups

Select the Identity node in the navigation tree to display the current directories in the right panel of the Administration Console.
Click the directory where you want to add the user or group, then select Edit Users or Edit Groups at the bottom of the page. This displays the directory's groups or users depending on your selection.
Select New at the bottom of the page.
On the dialog that displays, enter the user or group name and select OK.

Policies for Application-Level Administration

Once the application parent is defined in the resource tree and the necessary identities have been created, you can use policies to determine administrative access to the application. Here are two examples:

Using policy constraints allows you to limit administrative rights. For example, the following policy assigns the Admin role to Joe only for managing resources for the Petstore application.

grant(//role/Admin, //app/policy/ASI/admin/Resource, //user/asi/Joe/) if resource_is_child(resource, //app/policy/Petstore, no);

Figure 3-1 Using the Resource_is_Child Constraint

Using the Resource_is_Child Constraint

Assign Admin role to Bob (user) for the purpose of performing inquiries on policies set on the Petstore application.

grant(//role/Admin, //app/policy/ASI/admin, //user/asi/Bob/) if sys_defined(resource) and resource_is_child(resource, //app/policy/Petstore, no);

Integrating ALES with Application Environments