Sun Java System Access Manager 6 2005Q1 Administration Guide |
Chapter 4
Identity ManagementThis chapter describes the identity management features of Sun Java System Access Manager 6 2005Q1. The Identity Management module interface provides a way to view, manage and configure all Access Manager objects and identities. This chapter contains the following sections:
The Access Manager ConsoleThe Access Manager console is divided into three sections: the Location pane, the Navigation pane and the Data pane. By using all three panes, the administrator is able to navigate the directory, perform user and service configurations and create policies.
Header Pane
The Header pane runs along the top of the console. The tabs in the Header pane allow the administrator to switch between the different management module views:
- Identity Management module - allows for the creation and management of identity-related objects.
- Service Configuration module - allows for the configuration of Access Manager’s default services.
- Current Sessions module - allows administrators to view current session information, as well as terminating any session.
- Federation Management module - allows for the utilization of the open standards for federated network identity being developed by the Liberty Alliance Project.
The Location field provides a trail to the administrator’s position in the directory tree. This path is used for navigational purposes.
The Welcome field displays the name of the user that is currently running the console with a link to the user profile.
The Search link displays an interface that allows the user to search for entries of a specific Access Manager object type. Use the pull-down menu to select the object type and enter the search string.The Results are returned in the search table. Wildcards are accepted.
The Help link opens a browser window containing information on Identity Management, Current Sessions, Federation Management and Part IV of this documentation, the Attribute Reference.
The Logout link allows the user to log out of the Access Manager.
Navigation Pane
The Navigation pane is the left portion of the Access Manager console. The Directory Object portion (within the grey box) displays the name of the directory object that is currently open and its Properties link. (Most objects displayed in the Navigation pane will have a corresponding Properties link. Selecting this link will render the entry’s attributes in the Data pane to the right.) The View menu lists the directories under the selected directory object. Depending on the number of sub-directories, a paging mechanism is provided.
Data Pane
The Data peneplain is the right portion of the console. This is where all object attributes and their values are displayed and configured and where entries are selected for their respective group, role or organization.
Tip
You can select or deselect all of the items in a list by clicking the Select All, or Deselect All icons.
There are two basic views of the Access Manager graphical user interface. Depending on the roles of the user logging in, they might gain access to the Identity Management view or the User Profile view.
Identity Management View
When a user with an administrative role authenticates to the Access Manager, the default view is the Identity Management view. In this view the administrator can perform administrative tasks. Depending on the role of the administrator, this can include creating, deleting and managing objects (users, organizations, policies, and so forth), and configuring services.
User Profile View
When a user who has not been assigned an administrative role authenticates to the Access Manager, the default view is the user’s own User Profile. In this view the user can modify the values of the attributes particular to the user’s personal profile. This can include, but is not limited to, name, home address and password. The attributes displayed in the User Profile View can be extended. For more information on adding customized attributes for objects and identities, see the Access Manager Developer’s Guide.
Properties Function
To view or modify an entry’s properties, click the Properties arrow next to the object’s name. Its attributes and corresponding values are displayed in the Data pane. Different objects display different properties.
See the Access Manager Developer’s Guide for information on how to extend an entry’s properties.
The Identity Management InterfaceThe Identity Management interface allows for the creation and management of identity-related objects. User, role, group, policies, organization, suborganization and container objects and more can be defined, modified or deleted using either the Access Manager console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the organizations, groups, containers, users, services, and policies. (Additional administrators can be created based on roles.) The administrators are defined within the Directory Server when installed with Access Manager.
Managing Access Manager ObjectsThe User Management interface contains all the components needed to view and manage the Access Manager objects (organizations, groups, users, services, roles policies, container objects, and agents). This section explains the object types and details how to configure them.
For most Access Manager object types, you can optionally configure Display Options and Available Actions to show or hide the way in which the web interfaces are displayed in the Access Manager console. Configuration is done at the organization and role levels and users inherit the configuration from the organization in which they reside and the roles that are assigned to them. These settings are described at the end of this chapter.
Organizations
An Organization represents the top-level of a hierarchical structure used by an enterprise to manage its departments and resources. Upon installation, Access Manager dynamically creates a top-level organization (defined during installation) to manage the Access Manager enterprise configurations. Additional organizations can be created after installation to manage separate enterprises. All created organizations fall beneath the top-level organization.
To Create an Organization
- Choose Organizations from the View menu in the Identity Management module.
- Click New in the Navigation pane.
- Enter the values for the fields. Only Name is required. The fields are:
Name. Enter a value for the name of the Organization.
Domain Name. Enter the full Domain Name System (DNS) name for the organization, if it has one.
Organization Status. Choose a status of active or inactive.
The default is active. This can be changed at any time during the life of the organization by selecting the Properties icon. Choosing inactive disables user access when logging in to the organization.
Organization Aliases. This field defines alias names for the organization, allowing you to use the aliases for authentication with a URL login. For example, if you have an organization named exampleorg, and define 123 and abc as aliases, you can log into the organization using any of the following URLs:
http://machine.example.com/amserver/UI/Login?org=exampleorg
http://machine.example.com/amserver/UI/Login?org=abc
http://machine.example.com/amserver/UI/Login?org=123
Organization alias names must be unique throughout the organization. You can use the Unique Attribute List to enforce uniqueness.
DNS Alias Names. Allows you to add alias names for the DNS name for the organization. This attribute only accepts “real” domain aliases (random strings are not allowed). For example, if you have a DNS named example.com, and define example1.com and example2.com as aliases for an organization named exampleorg, you can log into the organization using any of the following URLs:
http://machine.example.com/amserver/UI/Login?org=exampleorg
http://machine.example1.com/amserver/UI/Login?=org=exampleorg
http://machine.example2.com/amserver/UI/Login?org=exampleorg
Unique Attribute List. Allows you to add a list of unique attribute names for users in the organization. For example, if you add a unique attribute name specifying an email address, you would not be able to create two users with the same email address. This field also accepts a comma-separated list. Any one of the attribute names in the list defines uniqueness. For example, if the field contains the following list of attribute names:
PreferredDomain, AssociatedDomain
and PreferredDomain is defined as http://www.example.com for a particular user, then the entire comma-separated list is defined as unique for that URL.
Uniqueness is enforced for all suborganizations.
- Click OK.
The new organization displays in the Navigation pane. To edit any of the properties that you defined during creation of the organization, click the Properties arrow of the organization you wish to edit, select General from the View menu in the Data pane, edit the properties and click OK. You can use the Display Options and Available Actions views to customize the appearance of the Access Manager console and to specify the behavior for any users that authenticate to this organization.
To Delete an Organization
To Add an Organization to a Policy
Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.
Groups
A group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels; within an organization and within other managed groups. Groups that exist within other groups are called sub-groups. Sub-groups are child nodes that “physically” exist within a parent group.
Access Manager also supports nested groups, which are “representations” of existing groups contained in a single group. As opposed to sub-groups, nested groups can exist anywhere in the DIT. They allow you to quickly set up access permissions for a large number of users.
When you create a group, you can create groups that use Membership By Subscription (static group) or Membership By Filter (filtered groups). This controls the way in which users are added to the group. Users can only be added to static groups. Dynamic groups control the addition of users through a filter. Nested or sub-groups, however, can be added to both.
Static Group (Membership By Subscription)
When you specify group membership by subscription, a static group is created based on the Managed Group Type you specify. If the Managed Group Type value is static, group members are added to a group entry using the groupOfNames or groupOfUniqueNames object class. If the Managed Group Type value is dynamic, a specific LDAP filter is used to search and return only user entries that contain the memberof attribute. For more information, see Managed Group Type.
Note
By default, the managed group type is dynamic. You can change this default in the Administration service configuration.
Filtered Group (Membership By Filter)
A filtered group is a dynamic group that is created through the use of an LDAP filter. All entries are funneled through the filter and dynamically assigned to the group. The filter would look for any attribute in an entry and return those that contain the attribute. For example, if you were to create a group based on a building number, you can use the filter to return a list all users containing the building number attribute.
To Create a Static Group
- Navigate to the organization, group or group container where the group will be created.
- Choose Groups from the View menu.
- Click New.
- Select Membership By Subscription for the group type from within the Data pane.
- Enter a name for the group in the Name field. Click Next.
- Select the Users Can Subscribe to this Group attribute to allow users to subscribe to the group themselves.
- If you have defined multiple group containers in your DIT and the Show Group Containers attribute (from the Administration Service) is not enabled, you can select the Parent Group Container to which the static group will belong. Otherwise, this field is not displayed.
- Click Finish.
Once the group is created, you can edit the Users Can Subscribe to this Group attribute by selecting General from the View menu in the Data pane.
To Add or Remove Members to a Static Group
- Click the Properties arrow next to the group to which you will add members.
- In the Data pane, select Members from the View menu.
Choose an action to perform in the Select Action menu. The actions you can perform are as follows:
New User. This action creates a new user and automatically adds the user to the group when the user information is saved.
Add User. This action adds an existing user to the group. When you select this action, you create a search criteria which will specify users you wish to add. The fields used to construct the criteria use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank, it will match all possible entries for that particular attribute.
Once you have constructed the search criteria, click Next. From the returned list of users, select the users you wish to add and click Finish.
Add Group. This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.
Remove Members. This action will remove members (which includes users and groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members from the Available Actions list.
Delete Members. This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members from the Available Actions list.
To Create a Filtered Group
- Navigate to the organization (or group) where the group will be created.
- Choose Groups from the View menu.
- Click New.
- Select Membership By Filter for the group type from within the Data pane.
- Enter a name for the group in the Name field. Click Next.
- Construct the LDAP search filter.
By default, Access Manager displays the Basic search filter interface. The Basic fields used to construct the filter use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank it will match all possible entries for that particular attribute.
Alternatively, you can select the Advanced button to define the filter attributes yourself. For example,
(&(uid=user1)(|(inetuserstatus=active)(!(inetuserstatus=*))))
When you click Finish, all users matching the search criteria are automatically added to the group.
To Add or Remove Members to a Filtered Group
- Click the Properties arrow next to the group to which you will add members.
- In the Data pane, select Members from the View menu.
Choose an action to perform in the Action menu. The actions you can perform are as follows:
Add Group. This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.
Remove Members. This action will remove members (which includes groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members from the Available Actions list.
Delete Members. This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members from the Available Actions list.
To Add a Group to a Policy
Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.
Users
A user represents an individual’s identity. Through the Access Manager Identity Management module, users can be created and deleted in organizations, containers and groups and can be added or removed from roles and/or groups. You can also assign services to the user.
To Create a User
- Navigate to the organization, container or people container where the user is to be created.
- Choose Users from the View menu.
- Click New.
This displays the New User page in the Data pane.
- If there are services available to the users, select a service to which the user will subscribe from the Available Services page. If you wish to skip this page, click Next.
- Enter data for the following default required values:
UserId. This field takes the name of the user with which he or she will log into Access Manager. This property may be a non-DN value.
First Name. This field takes the first name of the user. The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Access Manager console. This is not a required value.
Last Name. This field takes the last name of the user. The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Access Manager console.
Full Name. This field takes the full name of the user.
Password. This field takes the password for the name specified in the User Id field.
Password (Confirm). Confirm the password.
User Status. This option indicates whether the user is allowed to authenticate through Access Manager. Only active users can authenticate through Access Manager. The default value is Active.
- Click Finish.
To Add a User to Roles and Groups
- Navigate to the Organization for the user that is to be modified.
- Choose Users from the View menu.
- In the Navigation pane, select the user you wish to modify and click the Properties arrow.
- From the View menu in the Data pane, select Roles or Groups. Only the roles and groups that have already been assigned to the user are displayed. Click Add to see the list of available roles and groups from which to choose.
- Select the role or group that to which you wish to add the user, and click Save.
To Add a Service to a User
- Navigate to the Organization for the user that is to be modified.
- Choose Users from the View menu in the Navigation pane.
- In the Navigation pane, select the user you wish to modify and click the Properties arrow.
- From the View menu in the Data pane, select Services. The list of services that are available to the user are displayed in the Add Services pages.
- Select the services you wish to assign to the user.
- Click OK.
To edit a service’s attributes, click the Edit link next to the service name. Only services that are editable will display the Edit link.
To Remove a User
To Add a User to a Policy
Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.
Services
Activating a service for an organization or container (containers behave the same as organizations) is a two step process. In the first step you need to add the service to the organization. After you add the service, you must configure a template configured specifically for that organization.
To Add a Service
- Navigate to the Organization where you will add services.
- Choose Services from the View menu.
- Click Add.
The Data pane will display a list of services available to add to this organization.
- Select the checkbox next to each service to be added.
- Click OK. The services that have been added are displayed in the Navigation pane.
To Create a Template for a Service
- Navigate to the organization or role where the added service exists.
Choose Organizations from the View menu in the Identity Management module and select the organization from the Navigation pane.
- Choose Services from the View menu.
- Click the properties icon next to the name of the service to be activated.
The Data pane displays the message A template does not currently exist for this service. Do you want to create one now?
- Click Yes.
A template is created for this service for the parent organization or role. The Data pane displays the default attributes and values for this service. Descriptions for the attributes for the default services are described in the Attribute Reference.
- Accept or modify the default values and click Save.
To Remove a Service
Roles
Roles are a Directory Server entry mechanism similar to the concept of a group. A group has members; a role has members. A role’s members are LDAP entries that possess the role. The criteria of the role itself is defined as an LDAP entry with attributes, identified by the Distinguished Name (DN) attribute of the entry. Directory Server has a number of different types of roles but Access Manager can manage only one of them: the managed role.
Note
The other Directory Server role types can still be used in a directory deployment; they just can not be managed by the Access Manager console. Other Directory Server types can be used in a policy’s subject definition. For more information on policy subjects, see “Creating Policies” on page 129.
Users can possess one or more roles. For example, a contractor role which has attributes from the Session Service and the Password Reset Service might be created. When new contractors start, the administrator can assign them this role rather than setting separate attributes in the contractor entry. If the contractor is working in the Engineering department and requires services and access rights applicable to an engineering employee, the administrator could assign the contractor to the engineering role as well as the contractor role.
Access Manager uses roles to apply access control instructions. When first installed, Access Manager configures access control instructions (ACIs) that define administrator permissions. These ACIs are then designated in roles (such as Organization Admin Role and Organization Help Desk Admin Role) which, when assigned to a user, define the user’s access permissions.
Users can view their assigned roles only if the Display User’s Roles attribute is enabled in the Administration Service. For more information, see Show Roles on User Profile Page.
Similar to groups, roles can be created by a filter, or be created statically.
Static Role. In contrast to a filtered role, a static role can be created without adding users at the point of the role’s creation. This gives you more control when adding specific users to a given role.
Filtered Role. A filtered role is a dynamic role created through the use of an LDAP filter. All users are funneled through the filter and assigned to the role at the time of the role’s creation. The filter looks for any attribute value pair (for example, ca=user*) in an entry and automatically assign the users that contain the attribute to the role.
To Create a Static Role
- In the Navigation pane go the organization where the role will be created.
- Choose Roles from the View menu.
A set of default roles are created when an organization is configured, and are displayed in the Navigation pane. The default roles are:
Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.
Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.
Note
When a suborganization is created, remember that the administration roles are created in the suborganization, not in the parent organization.
Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.
Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.
People Container Admin. By default, any user entry in an newly created organization is a member of that organization’s People Container. The People Container Administrator has read and write access to all user entries in the organization’s People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.
Group Admin. The Group Administrator has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.
When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.
Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.
Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.
- Click New in the Navigation pane. The New Role template appears in the Data pane.
- Select Static Role and enter a name. Click Next.
- Enter a description of the role.
- Choose the role type from the Type menu.
The role can be either an Administrative role or a Service role. The role type is used by the console to determine and here to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.
- Choose a default set of permissions to apply to the role from the Access Permission menu.The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:
No permissions. No permissions are to be set on the role.
Organization Admin. The Organization Administrator has read and write access to all entries in the configured organization.
Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.
Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.
Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.
- Click Finish.
The created role is displayed in the Navigation pane and status information about the role is displayed in the Data pane.
You can optionally configure the Display Options and Available Actions by selecting them in the View menu. For more information, see Display Options and Available Actions at the end of this chapter.
To Add Users to a Static Role
- Select the role to modify and click on the Properties arrow.
- Choose Users from the View menu in the Data pane.
- Click Add.
- Enter the information for the search criteria. You can choose to search for users based on one or more the displayed fields The fields are:
Match. Allows you to include an operator for any the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.
First Name. Search for users by their first name.
User Status. Search for users by their status (active or inactive).
User ID. Search for a user by User ID.
Last Name. Search for users by their last name.
Full Name. Search for users by their full name.
- Click Next to begin the search. The results of the search are displayed.
- Choose the users from the names returned by selecting the checkbox next to the user name.
- Click Finish.
The Users are now assigned to the role.
To Create a Filtered Role
- In the Navigation pane, go the organization where the role will be created.
- Choose Roles from the View menu.
A set of default roles are created when an organization is configured, and are displayed in the Navigation pane. The default roles are:
Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.
Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.
Note
When a suborganization is created, remember that the administration roles are created in the suborganization, not in the parent organization.
Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.
Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.
People Container Admin. By default, any user entry in an newly created organization is a member of that organization’s People Container. The People Container Administrator has read and write access to all user entries in the organization’s People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.
Group Admin. The Group Administrator has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.
When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.
Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.
Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.
- Click New in the Navigation pane. The New Role template appears in the Data pane.
- Select Filtered Role and enter the name. Click Next.
- Enter a description for the role.
- Choose the role type from the Type menu.
The role can be either an Administrative role or a Service role. The role type is used by the console to determine and where to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.
- Choose a default set of permissions to apply to the role from the Access Permission menu.
- The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:
No permissions. No permissions are to be set on the role.
Organization Admin. The Organization Administrator has read and write access to all entries in the configured organization.
Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.
Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.
Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.
- Enter the information for the search criteria. The fields are:
Match. Allows you to include an operator for any the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.
First Name. Search for users by their first name.
User Status. Search for users by their status (active or inactive).
User ID. Search for a user by User ID.
Last Name. Search for users by their last name.
Full Name. Search for users by their full name.
Alternatively, you can select the Advanced button to define the filter attributes yourself. For example,
(&(uid=user1)(|(inetuserstatus=active)(!(inetuserstatus=*))))
If the filter is left blank, by default, the following role is created:
(objectclass = inetorgperson)
Click Cancel to cancel the role creation process.
- Click Finish to initiate the search based on the filter criteria. The users defined by the filter criteria are automatically assigned to the role.
You can optionally configure the Display Options and Available Actions by selecting them in the View menu. For more information, see Display Options and Available Actions at the end of this chapter.
To Remove Users from a Role
- Navigate to the Organization that contains the role to modify.
Choose Organizations from the View menu in the Identity Management module and select the organization from the Navigation pane.
- Choose Roles from the View menu.
- Select the role to modify.
- Choose Users from the View menu.
- Select the checkbox next to each user to be removed.
- Click Remove.
The users are now removed from the role.
To Add a Role to a Policy
Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.
Customizing a Service to a Role
You can customize the services available to a role, and the access level for the service attributes, on a per-role basis. Each of the available services can be customized for a role by setting role-specific values to the attributes. You can also grant access for each of the services and to the services’ attributes. There may be services that you wish only to be accessed by a specific type of user (for example, managers). To accomplish this, all users are assigned the service, but only the Manager type belonging to the role is allowed access to the specific service.
The same logic applies to service attributes. A user’s account consists of many attributes, some of which the user may not be allowed to access; for example the account expiration date. The administrator of the account can be granted access to this attribute, but the user (the account owner) is not. Customizing the service and attribute access is accomplished through the role’s Service view in the Navigation pane.
You must first add the services at the organization level in order to display the services. Users that are added to the role will inherit the role’s service attributes.
To Configure Services
- In the role’s Service view, go to the section labeled Service Configuration for this Role.
- Choose a service that is to be granted to the role by clicking on the Edit link next to the service name.
If you have not created a service template, you will be prompted to do so. Click Yes.
- Modify the Service attributes. For more information on specific Service attributes, see Part 3 of this manual, the Attribute Reference Guide.
- Click Save.
To Customize Attribute Access
- In the role’s Services view, go to the section labeled Service Access for this Role.
- Choose the enable or disable status for the service you wish to modify. Enable allows the access modifications. Disable disallows the access modifications.
- Click the Modify Access link.
- Assign an access level to an attribute by selecting the Read/Write or Read Only check boxes.
- Click OK and then Save.
For more information on specific Service attributes, see Part 4 of this manual, the Attribute Reference.
To Add a Role to a Policy
Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.
To Delete a Role
- Navigate to the organization that contains the role to be deleted.
- Choose Organizations from the View menu in Identity Management and select the organization from the Navigation pane. The Location path displays the default top-level organization and chosen organization.
- Choose Roles from the View menu.
- Select the checkbox next to the name of the role.
- Click Delete.
Policies
Policies define rules to help protect an organization’s web resources. Although policy creation, modification and deletion is performed through the Identity Management module, the procedures are described in “Creating Policies” on page 129.
Agents
Access Manager Policy Agents protect content on web servers and web proxy servers from unauthorized intrusions. They control access to services and web resources based on the policies configured by an administrator.
The agent object defines a Policy Agent profile, and allows Access Manager to store authentication and other profile information about a specific agent that is protecting an Access Manager resource. Through the Access Manager console, administrators can view, create, modify and delete agent profiles.
To Create an Agent
- Navigate to the organization that contains the agent to be created.
- Choose Agents from the View menu.
- Click New.
- Enter the values for the fields. The fields are:
Name. Enter the name or identity of the agent. This is the name that the agent will use to log into Access Manager. Multi-byte names are not accepted.
Password. Enter the agent password. This password must match the password used by the agent during LDAP authentication.
Confirm Password. Confirm the password.
Description. Enter a brief description of the agent. For example, you can enter the agent instance name or the name of the application it is protecting.
Agent Key Value. Set the agent properties with a key/value pair. This property is used by Access Manager to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format:
agentRootURL=http://server_name:port/
Device Status. Enter the device status of the agent. If set to Active, the agent will be able to authenticate to and communicate with Access Manager. If set to Inactive, the agent will not be able to authenticate to Access Manager.
To Delete an Agent
Creating a Unique Policy Agent Identity
By default, when you create multiple policy agents in a trusted environment, the policy agents contain the same UID and password. Because the UID and passwords are shared, Access Manager cannot distinguish between the agents, which may leave the session cookie open to interception.
The weakness may be present when an Identity Provider provides authentication, authorization and profile information about a user to applications (or Service Providers) that are developed by third parties or by unauthorized groups within the enterprise. Possible security issues are:
- All applications share the same http session cookie. This makes it possible for a rogue application to hijack the session cookie and impersonate the user to another application.
- If the application does not use the https protocol, the session cookie is prone to network eavesdropping.
- If just one application can be hacked, the security of the entire infrastructure is in jeopardy of being compromised.
- A rouge application can use the session cookie to obtain and possibly modify the profile attributes of a user. If the user has administrative privileges, the application would be able to do a lot more damage.
To Create a Unique Policy Identity
- Use the Access Manager administration console to make an entry for each agent. For more information, see To Create an Agent.
- Run the following command on the password that was entered in step 1b.
AccessManager-base/SUNWam/agents/bin/crypt_util agent123
This will give the following output:
WnmKUCg/y3l404ivWY6HPQ==
- Change AMAgent.properties to reflect the new value, and then and restart the agent. Example:
- Change AMConfig.properties to reflect the new values, and then and restart Access Manager. Example:
- In the Access Manager administration console, choose Service Configuration>Platform.
- In the Cookie Domains list, change the cookie domain name:
Containers
The container entry is used when, due to object class and attribute differences, it is not possible to use an organization entry. It is important to remember that the Access Manager container entry and the Access Manager organization entry are not necessarily equivalent to the LDAP object classes organizationalUnit and organization. They are abstract Identity entries. Ideally, the organization entry will be used instead of the container entry.
Note
The display of containers is optional. To view containers you must select Show Containers in View Menu in the Service Configuration module. For more information, see Show Containers In View Menu.
To Create a Container
- Navigate to the Organization or Container where the new Container will be created.
Select Containers from the View menu.
- Click New.
A Container template displays in the Data pane.
- Enter the name of the Container to be created.
- Click OK.
You can optionally configure the Display Options and Available Actions by selecting them in the View menu. For more information, see Display Options and Available Actions at the end of this chapter.
To Delete a Container
People Containers
A people container is the default LDAP organizational unit to which all users are assigned when they are created within an organization. People containers can be found at the organization level and at the people container level as a sub People Container. They can contain only other people containers and users. Additional people containers can be added into the organization, if desired.
Note
The display of people containers is optional. To view People Containers you must select Show People Containers in the Service Configuration module. For more information, see Show People Containers.
Create a People Container
Delete a People Container
Group Containers
A group container is used to manage groups. It can contain only groups and other group containers. The group container Groups is dynamically assigned as the parent entry for all managed groups. Additional group containers can be added, if desired.
Note
The display of group containers is optional. To view group containers you must select Show Group Containers in the Service Configuration module. For more information, see Show Group Containers.
To Create a Group Container
- Navigate to the organization or the group container which contains the group container to be created.
- Choose group containers from the View menu.
The default Groups was created during the organization’s creation.
- Click New.
- Enter a value in the Name field and click OK. The new group container displays in the Navigation pane.
To Delete a Group Container
Display Options
For organizations, roles and containers, you can use Display Options view to customize the way in which Access Manager objects are displayed in the Access Manager console. Not all display options are available for all object types.
To Change the Display Options
- Click on the Properties arrow of the organization for which you would like to change the display options.
- Select Display Options from the View menu in the Data pane.
- Edit the properties in the General section. The properties are:
Generate Full Name Attribute. Select this attribute to enable Access Manager to always generate the user’s full name, which is formed from the first and last name values in the user’s profile.
Always Select First Entry. Select this attribute for a search so that it automatically selects the first item of a given identity object type in the Navigation pane and displays it in the Data pane.
User Profile Page Title. Choose an attribute from this pull-down menu to be used for the title in the User Profile Page.
Disable Initial Search. This value disables the initial Access Manager search for one or more identity object types. Disabling the initial Search may enhance performance and reduce the likelihood of a timeout error.
- Change the display options in the Display Configuration of Access Manager Objects section. This section allows you to customize how Access Manager containers and objects are displayed. The Access Manager Containers option allows you to specify which object views are displayed in the Navigation pane’s View menu. The Access Manager Objects field allows you to specify which object views are displayed in the Data pane’s View menu.
- Click Save.
Available Actions
For certain Access Manager object types, you can define user access rights through the Available Actions view.
To Set Available Actions for Users
- Click on the Properties arrow of the Identity object for which you would like to set available actions.
- Select Available Actions from the View menu in the Data pane.
- Choose the action type available for any Access Manager object. The action type defines the user’s accessibility for each object. The action types are:
No Access. The user has no access to this object.
View. The user has read-only access to this object.
Modify. The user can modify and view this object.
Delete. The user can modify, view and delete this object.
Full Access. The user can create, modify, view and delete this object.
- Click Save. To change the values to their previously saved state, click Reset.