Conditions

A condition allows you to define constraints on the policy. For example, if you are defining policy for a paycheck application, you can define a condition on this action limiting access to the application only during specific hours. Or, you may wish to define a condition that only grants this action if the request originates from a given set of IP addresses or from a company intranet.

The condition might additionally be used to configure different policies on different URIs on the same domain. For example, http://org.example.com/hr/*jsp can only be accessed by org.example.net from 9 a.m. to 5 p.m. This can be achieved by using an IP Condition along with a Time Condition. And specifying the rule resource as http://org.example.com/hr/*.jsp , the policy would apply to all the JSPs under http://org.example.com/hr including those in the sub directories.

The terms referral, rule, resource, subject, condition, action and value correspond to the elements Referral, Rule, ResourceName, Subject, Condition, Attribute and Value in the policy.dtd.

The default conditions you can add are:

Active Session Time

Sets the condition based on user session data. The fields you can modify are:

Max Session Time

Specifies the maximum duration to which the policy is applicable starting from when the session was initiated.

Terminate Session

If selected, the user session will be terminated if the session time exceeds the maximum allowed as defined in the Max Session Time field.

Authentication Chain

The policy applies if the user has successfully authenticated to the authentication chain in the specified realm. If the realm is not specified, authentication to any realm at the authentication chain will satisfy the condition.

Authentication Level (greater than or equal to)

The policy applies if the user’s authentication level is greater than or equal to the Authentication level set in the condition. This attribute indicates the level of trust for authentication within the specified realm.

Authentication Level (less than or equal to)

The policy applies if the user’s authentication level is less than or equal to the Authentication level set in the condition. This attribute indicates the level of trust for authentication within the specified realm.

Authentication Module Instance

The policy applies if the user has successfully authenticated to the authentication module in the specified realm. If the realm is not specified, authentication to any realm at the authentication module will satisfy the condition.

Current Session Properties

Decides whether a policy is applicable to the request based on values of properties set in the user's Access Manager session. During policy evaluation, the condition returns true only if the user's session has every property value defined in the condition. For properties defined with multiple values in the condition, it is sufficient if the token has at least one value listed for the property in the condition.

IP Address/DNS Name

Sets the condition based on a range of IP Addresses. The fields you can define are:

IP Address From/To

Specifies the range of the IP address.

DNS Name

Specifies the DNS name. This field can be a fully qualified hostname or a string in one of the following formats:

domainname

*.domainname

LDAP Filter Condition

The policy is applicable when the defined LDAP filter locates the user entry in the LDAP directory that was specified in the Policy Configuration service. This is only applicable within the realm the policy is defined.

Realm Authentication

The policy applies if the user has authenticated to the specified realm.

Time (day, date, time, and timezone)

Sets the condition based on time constraints. The fields are:

Date From/To

Specifies the range of the date.

Time

Specifies the range of time within a day.

Day

Specifies a range of days.

Timezone

Specifies a timezone, either standard or custom. Custom timezones can only be a timezone ID recognized by Java (for example, PST). If no value is specified, the default value is the Timezone set in the Access Manager JVM.