You can load into Access Manager a service that already contains policy schema. Access Manager provides a sample XML file for a new service that contains policy schema. You can modify AccessManager-base/SUNWam/samples/policy/SampleWebService.xml to fit your needs, and then add your service to Access Manager.
The Policy element contains AttributeSchema elements to define applicable actions and values for actions. While defining policies, you can define access rules for those actions.
Examples include canForwardEmailAddress and canChangeSalaryInformation . The actions specified by these attributes can be associated with a resource if the IsResourceNameAllowed element is specified in the attribute definition. For example, in the web agent XML service file, amWebAgent.xml , GET and POST are defined as policy attributes with an associated URL resource as IsResourceNameAllowed is specified.
<!DOCTYPE ServicesConfiguration PUBLIC "=//iPlanet//Service Management Services (SMS) 1.0 DTD//EN" "jar://com/sun/identity/sm/sms.dtd"> <ServicesConfiguration> <Service name="SampleWebService" version="5.0"> <Schema serviceHierarchy="/DSAMEConfig/SampleWebService" i18nFileName="SampleWebService" i18nKey="SampleWebService">* <Global> <AttributeSchema name="serviceObjectClasses" type="list" syntax="string" i18nKey="SampleWebService"/> </Global> <Policy> <AttributeSchema name="GET" type="single" syntax="boolean" uitype="radio" i18nKey="get"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="POST" type="single" syntax="boolean" uitype="radio" i18nKey="post"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="PUT" type="single" syntax="boolean" uitype="radio" i18nKey="put"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="DELETE" type="single" syntax="boolean" uitype="radio" i18nKey="delete"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> </Policy> </Schema> </Service> </ServicesConfiguration>
Run the amadmin command to load the policy-enabled service.
AccessManager-base/bin/amadmin --runasdn "uid=amAdmin,ou=People,default_org,root_suffix" --password password --schema AccessManager-base/samples/policy/SampleWebService.xml |
Copy the properties file to the locale directory of the Access Manager installation.
cp SampleWebService.properties AccessManager-base/locale
Create a service XML file that conforms to AccessManager-base/dtd/sms.dtd, and contains the <Policy> element. See example below.
Create and copy locale properties file to AccessManager-base/locale.
Use amadmin to load the service into Access Manager.
Once the new service is added, you can define rules for the new service in policy definitions.
/etc/opt/SUNWam/config/xml/amWebAgent.xml (Solaris) /etc/opt/sun/identity/config/xml/amWebAgent.xml(Linux and HP-UX)
AccessManager-base\AccessManager\identity\config\xml\amWebAgent.xml |
(Windows)
<!DOCTYPE ServicesConfiguration PUBLIC "=//iPlanet//Service Management Services (SMS) 1.0 DTD//EN" "jar://com/sun/identity/sm/sms.dtd"> <ServicesConfiguration> <Service name="iPlanetAMWebAgentService" version="1.0"> <Schema i18nFileName="amWebAgent" i18nKey="iplanet-am-web-agent-service-description"> <Global> <AttributeSchema name="serviceObjectClasses" type="list" syntax="string" i18nKey=""> <DefaultValues> <Value>iplanet-am-web-agent-service</Value> </DefaultValues> </AttributeSchema> </Global> <Policy> <AttributeSchema name="GET" type="single" syntax="boolean" uitype="radio" i18nKey="GET"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> <AttributeSchema name="POST" type="single" syntax="boolean" uitype="radio" i18nKey="POST"> <IsResourceNameAllowed/> <BooleanValues> <BooleanTrueValue i18nKey="allow">allow</BooleanTrueValue> <BooleanFalseValue i18nKey="deny">deny</BooleanFalseValue> </BooleanValues> </AttributeSchema> </Policy> </Schema> </Service> </ServicesConfiguration>