test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Creating Policies

You can create, modify and delete policies through the Policy API and the Access Manager console, and create and delete policies through the amadmin command line tool. You can also get and list policies in XML using the amadmin utility. This section focuses on creating policies through the amadmin command line utility and through the Access Manager console. For more information on the Policy APIs, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.

Policies are generally created using an XML file and added to Access Manager through the amadmin command line utility and then managed using the Access Manager console (although policies can be created using the console). This is because policies cannot be modified using amadmin directly. To modify a policy, you must first delete the policy from Access Manager and then add the modified policy using amadmin.

In general, policy is created at the realm (or sub realm) level to be used throughout the realm’s tree.

ProcedureTo Create Policies with amadmin

  1. Create the policy XML file based on the amadmin.dtd. This file is located in the following directory:

    AccessManager-base /SUNWam/dtd

  2. Once the policy XML file is developed, you can use the following command to load it:


    AccessManager-base/SUNWam/bin/amadmin
--runasdn "uid=amAdmin,ou=People,default_org,
root_suffix"
--password password
--data policy.xml

    To add multiple policies simultaneously, place the policies in one XML file, as opposed to having one policy in each XML file. If you load policies with multiple XML files in quick succession, the internal policy index may become corrupted and some policies may not participate in policy evaluation.

    When creating policies through amadmin, ensure that the authentication module is registered with the realm while creating authentication scheme condition; that the corresponding LDAP objects realms, groups, roles and users) exist while creating realms, LDAP groups, LDAP roles and LDAP user subjects; that Access Manager roles exist while creating IdentityServerRoles subjects; and that the relevant realms exist while creating sub realm or peer realm referrals.

    Please note that in the text of Value elements in SubrealmReferral, PeerRealmReferral, Realm subject, IdentityServerRoles subject, LDAPGroups subject, LDAPRoles subject and LDAPUsers subject need to be the full DN.

ProcedureTo Create a Normal Policy With the Access Manager Console

  1. Choose the realm for which you would like to create a policy.

  2. Click the Policies tab.

  3. Click New Policy from the Policies list.

  4. Add a name and a description for the policy.

  5. If you wish the policy to be active, select Yes in the Active attribute.

  6. It is not necessary to define all of the fields for normal policies at this time. You may create the policy, then add rules, subjects, conditions, and response providers later. See Managing Policies for more information.

  7. Click Create.

ProcedureTo Create a Referral Policy With the Access Manager Console

  1. Choose the realm for which you would like to create the policy.

  2. Click New Referral from the Policies tab.

  3. Add a name and a description for the policy.

  4. If you wish the policy to be active, select Yes in the Active attribute.

  5. It is not necessary to define all of the fields for referral policies at this time. You may create the policy, then add rules and referrals later. See Managing Policies for more information.

  6. Click Create.

Creating Policies for Peer Realms and Sub Realms

In order to create policies for peer or sub realms, you must first create a referral policy in the parent (or another peer) realm. The referral policy must contain, in its rule definition, the resource prefix that is being managed by the sub realm. Once the referral policy is created in the parent realm (or another peer realm) normal policies can be created at the sub realm (or peer realm).

In this example, o=isp is the parent realm and o=example.com is the sub realm that manages resources and sub-resources of http://www.example.com.

ProcedureTo Create a Policy for a Sub Realm

  1. Create a referral policy at o=isp. For information on referral policies, see the procedure Modifying a Referral Policy.

    The referral policy must define http://www.example.com as the resource in the rule, and must contain a SubRealmReferral with example.com as the value in the referral.

  2. Navigate to the sub realm example.com.

  3. Now that the resource is referred to example.com by isp, normal policies can be created for the resource http://www.example.com , or for any resource starting with http://www.example.com .

    To define policies for other resources managed by example.com, additional referral policies must be created at o= isp.