test

Sun Java System Access Manager 7.1 Administration Guide

Policy Types

There are two types of policies that can be configured using Access Manager:

Normal Policy

In Access Manager, a policy that defines access permissions is referred to as a normal policy. A normal policy consists of rules , subjects, conditions, and response providers.

Rules

A rule contains a service type, one or more actions, and a value. The rule, basically, defines the policy.

Note –

It is acceptable to define an action without resources for some services.

Subjects

A subject defines the user or collection of users (for instance, a group or those who possess a specific role) that the policy affects. The general rule for subjects is that the policy would apply only if the user is a member of at least one subject in the policy. The default subjects are:

Access Manager Identity Subject

This subject implies that the identities you create and manage under the Realms Subject tab can be added as a member of the subject.

Authenticated Users

This subject type implies that any user with a valid SSOToken is a member of this subject.

All authenticated users would be member of this Subject, even if they have authenticated to a realm that is different from the organization in which the policy is defined. This is useful if the resource owner would like to give access to resources that is managed for users from other organizations. If you want to restrict access to resources being protected to members of a specific organization, please use the Organization subject.

Web Services Clients

his subject type implies that a web service client (WSC) identified by the SSOToken is a member of this subject, if the DN of any principal contained in the SSOToken matches any selected value of this subject. Valid values are the DNs of trusted certificates in the local JKS keystore, which correspond to the certificates of trusted WSCs. This subject has dependency on the Liberty Web Services Framework and should be used only by Liberty Service Providers to authorize WSCs.

Make sure that you have created the keystore before you add this Subject to a policy. Information on setting up the keystore can be found in the following location:

AccessManager-base /SUNWam/samples/saml/xmlsig/keytool.html

The following additional subjects are available by selecting them in the Policy Configuration Service of the realm:

Access Manager Roles

This subject type implies that any member of an Access Manager role is a member of this subject. An Access Manager role is created using Access Manager running in legacy mode and using the 6.3–based console. These roles have object classes mandated by Access Manager. Access Manager roles can only be accessed through the hosting Access Manager Policy Service.

LDAP Groups

This subject type implies that any member of an LDAP group is member of this subject.

LDAP Roles

This subject type implies that any member of an LDAP role is a member of this subject. An LDAP Role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.

LDAP Users

This subject type implies that any LDAP user is a member of this subject.

Organization

This subject type implies that any member of a realm is a member of this subject

Access Manager Roles Versus LDAP Roles

An Access Manager role is created using Access Manager These roles have object classes mandated by Access Manager. An LDAP role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. All Access Manager roles can be used as Directory Server roles. However, all Directory Server roles are not necessarily Access Manager roles. LDAP roles can be leveraged from an existing directory by configuring the Policy Configuration Service. Access Manager roles can only be accessed through the hosting Access Manager Policy Service. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.

Nested Roles

Nested roles can be evaluated correctly as LDAP Roles in the subject of a policy definition.

Conditions

A condition allows you to define constraints on the policy. For example, if you are defining policy for a paycheck application, you can define a condition on this action limiting access to the application only during specific hours. Or, you may wish to define a condition that only grants this action if the request originates from a given set of IP addresses or from a company intranet.

The condition might additionally be used to configure different policies on different URIs on the same domain. For example, http://org.example.com/hr/*jsp can only be accessed by org.example.net from 9 a.m. to 5 p.m. This can be achieved by using an IP Condition along with a Time Condition. And specifying the rule resource as http://org.example.com/hr/*.jsp , the policy would apply to all the JSPs under http://org.example.com/hr including those in the sub directories.

Note –

The terms referral, rule, resource, subject, condition, action and value correspond to the elements Referral, Rule, ResourceName, Subject, Condition, Attribute and Value in the policy.dtd.

The default conditions you can add are:

Active Session Time

Sets the condition based on user session data. The fields you can modify are:

Max Session Time

Specifies the maximum duration to which the policy is applicable starting from when the session was initiated.

Terminate Session

If selected, the user session will be terminated if the session time exceeds the maximum allowed as defined in the Max Session Time field.

Authentication Chain

The policy applies if the user has successfully authenticated to the authentication chain in the specified realm. If the realm is not specified, authentication to any realm at the authentication chain will satisfy the condition.

Authentication Level (greater than or equal to)

The policy applies if the user’s authentication level is greater than or equal to the Authentication level set in the condition. This attribute indicates the level of trust for authentication within the specified realm.

Authentication Level (less than or equal to)

The policy applies if the user’s authentication level is less than or equal to the Authentication level set in the condition. This attribute indicates the level of trust for authentication within the specified realm.

Authentication Module Instance

The policy applies if the user has successfully authenticated to the authentication module in the specified realm. If the realm is not specified, authentication to any realm at the authentication module will satisfy the condition.

Current Session Properties

Decides whether a policy is applicable to the request based on values of properties set in the user's Access Manager session. During policy evaluation, the condition returns true only if the user's session has every property value defined in the condition. For properties defined with multiple values in the condition, it is sufficient if the token has at least one value listed for the property in the condition.

IP Address/DNS Name

Sets the condition based on a range of IP Addresses. The fields you can define are:

IP Address From/To

Specifies the range of the IP address.

DNS Name

Specifies the DNS name. This field can be a fully qualified hostname or a string in one of the following formats:

domainname

*.domainname

LDAP Filter Condition

The policy is applicable when the defined LDAP filter locates the user entry in the LDAP directory that was specified in the Policy Configuration service. This is only applicable within the realm the policy is defined.

Realm Authentication

The policy applies if the user has authenticated to the specified realm.

Time (day, date, time, and timezone)

Sets the condition based on time constraints. The fields are:

Date From/To

Specifies the range of the date.

Time

Specifies the range of time within a day.

Day

Specifies a range of days.

Timezone

Specifies a timezone, either standard or custom. Custom timezones can only be a timezone ID recognized by Java (for example, PST). If no value is specified, the default value is the Timezone set in the Access Manager JVM.

Response Providers

Response providers are plug-ins that provide policy-based response attributes. The response provider attributes are sent with policy decisions to the PEP. Access Manager includes one implementation, the IDResponseProvider. Custom response providers are not supported in this version of Access Manager. Agents, PEPs, typically pass these response attributes as headers to applications. Applications typically use these attributes to personalize application pages such as a portal page.

Policy Advices

If a policy is not applicable as determined by the condition, the condition can produce advice messages that indicates why the policy was not applicable to the request. These advice messages are propagated in the policy decision to the Policy Enforcement Point. The Policy Enforcement Point can retrieve this advice and try to take the appropriate action, such as redirecting the user back to the authentication mechanism to authenticate to a higher level. The user may then be prompted for higher level authentication and may be able to access to the resource, if the policy becomes applicable, after proper action for the advice is taken.

More information can be found in the following class:

com.sun.identity.policy.ConditionDecision.getAdvices()

Only AuthLevelCondiiton and AuthSchemeCondition provide advices if the condition is not satisfied.

AuthLevelCondition advice is associated with the following key:

com.sun.identity.policy.plugin.AuthLevelCondition.AUTH_LEVEL_CONDITION_ADVICE

AuthSchemeCondition advice is associated with the following key:

com.sun.identity.policy.plugin.AuthLevelCondition.AUTH_SCHEME_CONDITION_ADVICE

Custom conditions can also produce advices. However, the Access Manager Policy Agents respond only for Auth Level Advice and Auth Scheme Advice. Custom agents could be written to understand and respond to more advices and existing Access Manager agents can be extended to understand and respond to more advices. For more information, see the Sun Java System Access Manager Policy Agent 2.2 User’s Guide.

Referral Policy

An administrator may need to delegate one realm's policy definitions and decisions to another realm. (Alternatively, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of one or more rules and one or more referrals.

The Policy Configuration service contains a global attribute called Organization Alias Referrals This attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the realm/DNS Alias of the realm. By default, this attribute is defined as No.

Rules

A rule defines the resource whose policy definition and evaluation is being referred.

Referrals

The referral defines the organization to which the policy evaluation is being referred. By default, there are two types of referrals: peer realm and sub realm. They delegate to an realm on the same level and an realm on a sub level, respectively. See Creating Policies for Peer Realms and Sub Realms for more information.

Note –

The realm that is referred to can define or evaluate policies only for those resources (or sub-resources) that have been referred to it. This restriction, however, does not apply to the top-level realm.