Chapter 6 Policy Management

This chapter describes the policy service management features of Sun™ ONE Identity Server. Policy management provides a way to view, manage and configure all Identity Server policies.

Policy Types

Policy Management

Policy Types

There are two types of policies that can be configured using Identity Server: a normal policy or a referral policy. A normal policy consists of rules, subjects and conditions. A referral policy consists of rules and referrals to organizations.

Normal Policy

In Identity Server, a policy that defines access permissions is referred to as a normal policy. A normal policy consists of rules, subjects and conditions.

A rule consists of a resource, and one or more sets of an action and a value. A resource defines the object that is being protected; an action is the name of an operation that can be performed on the resource and a value defines the permission.


Note	It is acceptable to define an action without resources.

Policies are not assigned to identities. Instead, subjects are assigned to policies. A subject is the identity object to which the policy is assigned and applied.

A condition defines the situations in which a policy is applicable. For example, a 7 am to 10 am time condition in a policy means that the policy is applicable only from 7 am to 10 am.

Referral Policy


Note	The terms referral, rule, resource, subject, condition, action and value correspond to the elements Referral, Rule, ResourceName, Subject, Condition, Attribute and Value in the policy.dtd. They are explained further in the Sun ONE Identity Server Customization and API Guide.

An administrator might typically need to delegate one organization’s policy definitions and decisions to another organization. (Alternately, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of one or more rules and one or more referrals. A rule defines the resource whose policy definition and evaluation is being referred. The referral defines the organization to which the policy definition and evaluation is being referred.


Note	The referred-to organization can define or evaluate policies only for those resources (or sub-resources) that have been referred to it. This restriction, however, does not apply to the root organization.

There are two types of referrals bundled with Identity Server: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively. See "Creating Policies for Peer and Suborganizations" for more information.

Policy Management

You can create, delete, and modify policies through the Policy API, through the amadmin command line tool, and through the Identity Server console.

This chapter focuses on creating policies through the console.For more information on amadmin, see "The amadmin Command Line Tool". For more information on the Policy API, see the “Policy Service” chapter in the Sun ONE Identity Server Customization and API Guide.

Policies are configured using the Identity Management interface. This interface provides a means for:

The Top-Level Administrator to view, create, delete and modify policies for a specific service that can be used across all organizations.

An organization or suborganization administrator to view, create, delete and modify policies for specific use by the organization.

In general, policy is created at the organization (or suborganization) level to be used throughout the organization’s tree.

Registering Policy Configuration Services

Registering a policy configuration service is the same as registering any type of service; it is done within the Identity Management interface. By default, the Policy Configuration service is automatically registered to the top-level organization. Any policy service you create must be registered to all organizations. Whenever you register the policy configuration service, you must enter the LDAP bind password in the template for all policies to take effect within an organization.

Navigate to the Identity Management interface.

When the console opens, the default interface is Identity Management.

Choose the organization for which you would like to create policy.

If logged in as the Top-Level Administrator, make sure that the location of the Identity Management module is the top-level organization where all configured organizations are visible. The default top-level organization is defined during installation.

Choose Services from the View menu.

If the organization already has registered services, they will be displayed in the Navigation frame.

Click Register in the Navigation frame.

A listing of services not yet registered to this organization is displayed in the Data frame.

From the Register Services window, opened in the Data frame, choose Policy Configuration and click register.

The Policy Configuration Service is added to the list of services in the Navigation frame.

Configure the policy service by clicking the Properties arrow. If the policy template has not yet been configured, you will need to create a service template for the newly registered policy service.

To configure the policy service, click Create. Modify the Policy Configuration attributes. See "Policy Configuration Service Attributes" for a description of these attributes. Click Save.

The policy configuration service is now registered to the chosen organization.



Note	Suborganizations must register their policy services independently of their parent organization. In other words, the suborganization o=suborg,dc=sun,dc=com will not inherit the policy configuration service from its parent dc=sun,dc=com.

Creating Policies

Navigate to the Identity Management interface.

Choose the organization for which you would like to create a policy.

Ensure that the location of the Policy Management window is correct for your organization.

Choose Policies from the View menu.

By default, the Organizations view is visible in the View menu. All suborganizations configured, if any, will be visible below it. If creating policies for a suborganization, choose the suborganization and then choose Policies from the View menu.

Click New in the Navigation frame. The New Policy window opens.

Select the type of policy, normal or referral, that you wish to create.

If a referral policy that refers to a suborganization does not exist, you will not be able to create any polices for that suborganization. For more information, see "Creating Policies for Peer and Suborganizations".

It is not necessary to define all of the fields for normal or referral policies at this time. You may create the policy, then add rules, subjects, referrals, and so forth, later. For information on configuring normal and referral policies, see "Modifying Policies".

Type a name for the policy and click Create.

The new policy rule window opens under the policy name created.

By default, the General view is displayed.

The General view displays the name of the policy and allows you to enter a description of the policy that is to be created.

Click Save to complete the policy’s configuration.

Modifying Policies

Once a normal or referral policy is created, you can modify the rules, subjects, conditions and referrals.

From the Identity Management interface, select Policies from the View menu.

The policies that were created for that organization are displayed.

Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data frame.

By default, the General view is displayed.

Modify a Normal Policy

Through the Identity Management interface, you can create a policy that defines access permissions. Such a policy is referred to as a normal policy. A normal policy can consist of multiple rules, subjects, and conditions. This section lists and defines the default fields that you can specify when creating a normal policy.

Adding Rules

From the Identity Management interface, select Policies from the View.

The policies that were created for that organization are displayed.

Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data frame.

By default, the General view is displayed.

To define rules for the policy, select Rules from the View menu and click Add.

If more than one service exists, they will be listed in the Data frame. Choose the service for which you wish to create a policy and click Next. The Add Rule window is displayed.

Define the resource, actions and action values in the Rules fields.

The fields are:

Service. Displays the service for the policy to be created. The default is URL Policy Agent.

Rule Name. Enter the name of the rule.

Resource Name. Enter the name of a resource. For example:

http://www.sunone.com

Currently, Policy Agents only support are http:// and https:// resources and do not support IP addresses in place of the hostname.

Wildcards are supported for resource names, port number and protocol. For example:

http*://*:*/*.html

For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.

Select Actions. For the URL Policy Agent Service, you can select either or both of the following default actions:

GET

POST

Select Action Values. For the URL Policy Agent Service, you can choose one of the following action values:

Allow lets you access the resource matching the resource defined in the rule.

Deny denies access to the resource matching the resource defined in the rule.

Denial rules always take precedence over allow rules in a policy. For example, if you have two policies for a given resource, one denying access and the other allowing access, the result is a deny access (provided that the conditions for both policies are met). It is recommended that deny policies be used with extreme caution as they may lead to potential conflicts between the policies. Typically, the policy definition process should only use allow rules, and use the default deny when no policies apply to accomplish the deny case.

If explicit deny rules are used, policies that are assigned to a given user through different subjects (such as role and/or group membership) may result in denied access to a resource even if one or more of the policies allow access. For example, if there is a deny policy for a resource applicable to an Employee role and there is another allow policy for the same resource applicable to Manager role, policy decisions for users assigned both Employee and Manager roles would be denied.

One way to resolve such problem is to design policies using Condition plug-ins. In the case above, a “role condition” that applies the deny policy to users authenticated to the Employee role and applies the allow policy to users authenticated to the Manager role helps differentiate the two policies. Another way could be to use the authentication level condition, where the Manager role authenticates at a higher authentication level. See "Adding Conditions" for more information.



Note	If the service is defined so that an action does not need resource definitions, the resource field will not be displayed. If the service contains both types of actions (some requiring resources, some without resources), an option is displayed to select rules with actions requiring no resources, or rules with actions requiring resources.

Click Create to save the rule.

Repeat steps 1 - 5 to create additional rules.

All of the rules created for that policy are displayed in the table in the Rules view. Click Save to add the rules to the policy.

To remove a rule from a policy, select the rule and click Remove.

You can edit any rule definition by clicking on the Edit link next to the rule name.

Adding Subjects

To define the subject for the policy, select Subject from the View menu and click Add.

Select one of the default subject types:

Identity Server Roles

LDAP Groups

LDAP Roles

LDAP Users

Organization

Click Next to continue.

Enter a name for the subject.

Select or deselect the Exclusive field.

If this field is not selected (default), the policy applies to the identity that is a member of the subject. If the field is selected, the policy applies the identity that is not a member of the subject.

If multiple subjects exist in the policy, the policy applies to the identity if at least one of the subjects implies that the policy applies to the given identity. Regardless of whether or not Exclusive field is selected, the policy applies to the identity when all conditions defined in the policy are satisfied.

Perform a search in order to display the identities to add to the subject.

The default (*) search pattern will display all qualified entries.

Select the identities that you wish to add for the subject and click Add to move them to the Selected list box. (or select Add All to add all of the identities).

Click Create.

The subject’s names, type and exclusive status are displayed in the table in the Subjects view. Click Save.

To remove a subject from a policy, select the subject and click Remove, then Save.

You can edit any subject definition by clicking on the Edit link next to the subject name.

Adding Conditions

Conditions allows you to define constraints on the policy. For example, if you are defining policy for a paycheck application, you can define a condition on this action limiting access to the application only during specific hours. Or, you may wish to define a condition that only grants this action if the request originates from a given set of IP addresses or from a company intranet.

The condition might additionally be used to configure different policies on different URIs on the same domain. For example, http://org.example.com/hr/*jsp can only be accessed by org.example.net from 9am to 5 pm, yet http://org.example.com/finance/*.jsp can be accessed by org.example2.net from 5 am to 11 pm. This can be achieved by using an IP Condition along with a Time Condition. And specifying the rule resource as http://org.example.com/hr/*.jsp, the policy would apply to all the JSPs under http://org.example.com/hr including those in the sub directories.

Define the conditions for the policy. Select Conditions from the View menu. Click Add to add a new condition, or click the Edit link to edit an existing condition.

Select one of the following default conditions:

Authentication Level

Authentication Scheme

IP Address

Session

Time

Click Next.

Define the values for a given condition in the Rules fields. The fields are:

Name. Enter the name of the condition.

Authentication Level

Authentication level. Indicate the level of trust for authentication. The available authentication levels are displayed in the authentication level and authentication module table.

Authentication Scheme

Authentication scheme. Choose the authentication scheme for the condition from the pull-down menu. These authentication schemes are taken from the Core service template in the organization authentication modules.

IP Address

IP Address From/To. Specifies the range of the IP address.

DNS Name. Specifies the DNS name.

Time

Date From/To. Specifies the range of the date.

Time. Specifies the range of time within a day.

Day. Specifies a range of days.

Timezone. Specifies a timezone, either standard or custom. Custom timezones can only be a timezone ID recognized by Java (for example, PST).

Session

Max Session Time. Specifies the maximum user session time during which a policy applies.

Terminate Session. If selected, this field sets the termination of the user session if the session time exceeds the maximum allowed as defined in the Max Session Time field.

Once you have defined the condition, click Create.

All of the conditions created for that policy are displayed in the table in the Conditions view. Click Save.

To remove a condition from a policy, select the condition and click Remove.

You can edit any condition definition by clicking on the Edit link next to the condition name.

Modify a Referral Policy

Through the Identity Management interface you can delegate an organization’s policy definitions and decisions to another organization. (You can also delegate policy decisions for a resource to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of a rule and the referral itself. If the policy service contains actions that do not require resources, referral policies cannot be created for suborganizations.

Adding Rules

To define rules for the policy, select Rules from the View menu. Click Add to add a new rule, or click the Edit link to edit an existing rule.

Define the resource in the Rules fields. The fields are:

Service. Displays the policy service for the policy to be created

Name. Enter the name of the rule.

Resource Name. Enter the name of a resource. For example:

http://www.sunone.com

Currently, Policy Agents only support are http:// and https:// resources and do not support IP addresses in place of the hostname.

Wildcards are supported for resource names, port number and protocol.

For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.

Click Create to save the rule.

Repeat steps 1 - 3 to create additional rules.

All of the rules created for that policy are displayed in the table in the Rules view. Click Save.

To remove a rule from a policy, select the rule and click Remove.

You can edit any rule definition by clicking on the Edit link next to the rule name.

Adding Referrals

The referral defines the organization to which the policy evaluation is being referred. By default, there are two types of referrals: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively.

To define referrals for the policy, select Referrals from the View menu. Click Add to add a new referral, or click the Edit link to edit an existing referral.

Define the resource in the Rules fields. The fields are:

Referral. Displays the current referral.

Name. Enter the name of the referral.

Containing. Specifies a filter for the organization names that will be displayed in the Value field. By default, it will display all organization names.

Value. Enter the organization name of the referral.

Click Create and Save.

To remove a referral from a policy, select the referral and click Remove.

You can edit any referral definition by clicking on the Edit link next to the referral name.

Creating Policies for Peer and Suborganizations

In order to create policies for peer or suborganizations, you must first create a referral policy in the parent (or another peer) organization. Also, the Policy Configuration service should be registered and the template created in the suborganizations. The referral policy must contain, in its rule definition, the resource prefix that is being managed by the suborganization. Once the referral policy is created in the parent organization (or another peer organization), normal policies can be created at the suborganization (or peer organization).

The Identity Server policy framework does not allow the creation of referral policies if the action name does not contain resource names. In other words, if the action does not include any resource names, policies can only be created under the root organization, not under the suborganization.

In this example, o=isp is the parent organization, o=sun.com is the suborganization and manages resources and sub-resources of http://www.example.com. To create a policy for this suborganization, follow these steps:

Create a referral policy at o=isp. For information on referral policies, see the procedure "Modify a Referral Policy".

The referral policy must define http://www.sun.com as the resource in the rule, and must contain a SubOrgReferral with sun.com as the value in the referral.

Go to the Organization view and navigate to the suborganization sun.com.

Ensure that the policy configuration service is registered at the suborganization level, sun.com. For information, see "Registering Policy Configuration Services".

Now that the resource is referred to sun.com by isp, normal policies can be created for the resource http://www.sun.com, or for any resource starting with http://www.sun.com.

See the procedure "Modify a Normal Policy" for information on creating normal policies.

To define policies for other resources managed by sun.com, additional referral policies must be created at o=isp.