Chapter 5   Configuring Policy




Overview

---

Identification (Who are you?) and Authentication (How do I know you are who you say you are?) are two of the three components in the iPlanet Portal Server computing environment.

The third component, Policy, (What rights do you have? Do you belong here?) is described in this chapter. Access to approved system resources on the iPlanet Portal Server is controlled by looking up the value of privileges that delineate specific rights and permissions, based on the profile attached to the user's domain, role, or user name.

A subset of privilege values defines the policy attached to the profile for domains, roles, and users. The policy is implemented by interpreting the privilege values.

Privileges are of two types: boolean and list. Boolean privileges have a value of either true or false. List privileges have an Allow list and a Deny list. A Deny list has precedence over an Allow list. The wildcard character "*" in an Allow or Deny list has the meaning of all.

For example, a User URL Access privilege of "*" in the Allow list and "http://company1.com" in the Deny list enables access to all URLs that do not contain company1.com in the host portion of the URL.

You configure these values in the Policy page of the Administration Console, which lists Policies of iPlanet Portal Server.

Configuring Policy

---

This section describes how to configure policy at the domain, role, and user level.

When configuring policy at the domain level, all roles and users that are children of the domain inherit the policy unless explicitly overridden. When configuring policy at the role level, all subroles, and users of the role and subroles, inherit the policy unless explicitly overridden. Configuring policy at the user level applies only to that specific user.

To Configure Policy at the Domain, Role, and User Levels

1. From the Admin Console, click the Manage Domains link.

2. Click the Domain, or Domain > Roles, or Domain > Roles > Users link, depending on the level of the role tree for which the policy is to be configured.

3. Click the Policy link under Profiles.

4. Modify the appropriate policy.

   In general, privileges are allowed or denied by clicking a checkbox, or by typing entries in the Allow and Deny lists.

   See Policy Details" for a description of the attributes for each policy.

5. Click the Submit button at the bottom of this page.

   The profile update message is displayed.

6. Click the Continue button to return to the previous page.

Policy Details

---

The policies that can be configured include:

• Applications

• Desktop

• Logging

• NetFile

• Netlet

• Platform

• Session

• S/Key Generation

• User

• Miscellaneous

Using Lists and Checkboxes

The Policy screen uses two methods to set privileges:

• Checkboxes - A privilege is enabled when the checkbox is selected, and disabled when unselected.

• Lists - Allow and Deny lists provide a means to grant or deny access to resources. A Deny list has precedence over an Allow list. The wildcard character "*" in an Allow or Deny list has the meaning of all.

Applications Policy

Every iPlanet Portal Server application has a "can this user execute" privilege defined in its profile. When a user starts an application, the application makes a call to the Policy API to verify if this user can execute the application. The following applications have this execute privilege; use the appropriate checkboxes to allow or deny access to these applications:

• NetMail

• NetFile

• Desktop

• Netlet

Each application has application-specific attributes. See Desktop Policy, NetFile Policy, and Netlet Policy for more information.

Privileges on these applications are enforced by the applications themselves (not the iPlanet Portal Server gateway).

Desktop Policy

For each channel that the user has available, use the appropriate checkboxes to allow or deny these capabilities:

• Minimizable: The user can minimize the window in which the channel is running.

• Detachable: The user can detach the window in which the application is running.

• Help: Help is available or not to the user for the application.

• Editable: If the channel is editable, the value of this attribute will allow or deny the user's ability to edit this channel.

• Removable: The user can or cannot remove the application from the desktop.

• Border: The user can or cannot change the border around the application window.

Logging Policy

Use the checkbox to allow or deny Domain Administrators the capability to view log files in their domains. If set to false (unchecked), the Domain Administrator cannot view any logs in the system. If set to true (checked), the Domain Administrator can view log records that are only in that domain.

Only Super Administrators can delete logs and log records.

In general, configure this policy only at the Admin role level to ensure proper security of the iPlanet Portal Server environment.

NetFile Policy

Use the appropriate checkboxes to allow or deny privilege to perform the following operations from the NetFile application:

• Delete Files on Remote Systems

• Change User ID

• Change Machine Domain

Use the Allow and Deny lists to enter host names to which the NetFile application allows and denies access.

Netlet Policy

The Netlet policy defines three levels of policy checking for users:

• DNS domain level - Configurable only by the Super Administrator. This privilege ensures that the Netlet target host is within the DNS domain of the user. For example, if the Allow list contains "*.sun.com" then only Netlet targets in the sun.com DNS domain can be executed by the user.

• Netlet target host - Enables Super Administrators and Domain Administrators to restrict access to certain hosts. For example, an administrator can set up the Allow list with five hosts that the user is allowed to telnet to, or use only the Deny list and restrict access to a few confidential servers.

• Netlet rule name - Each netlet rule is defined by a name. Administrators can allow or deny users based on the Netlet rule names.

Use the appropriate checkboxes to allow or deny privilege to domains, hosts, and rules.

See Chapter 7 "Configuring The Netlet" for more information.

Platform Policy

Use the Allow and Deny lists to enter servers which can or cannot be restarted.

By default, the Allow list is empty, which means this privilege is not enabled. Enter servers that you want to be able to restart, or "*" to enable restart of all servers.

There is no platform privilege to allow or deny restarting of iPlanet Portal Server gateway servers. Only Super Administrators can restart a gateway server.

In general, configure this policy only at the Admin role level to ensure proper security of the iPlanet Portal Server environment. Do not change the restart servers permission at the domain level, as this would enable all roles and users in that domain to restart the iPlanet Portal servers.

Session Policy

Use the checkbox to allow or deny applications using the Session API to create session listeners to all session platform notifications. In general, configure this policy only at the Admin role level to ensure proper security of the iPlanet Portal Server environment.

Super Administrators and Domain Administrators can view iPlanet Portal Server sessions through the Manage Sessions page in the Administration Console. Administrators can also delete a user session from this page.

Get Valid Sessions Privilege
This privilege allows or denies Super Administrators or Domain Administrators the capability to view user sessions. The administrator is able to view all users' sessions whose domains are listed in the Allow list, and is denied viewing users' sessions whose domains are listed in the Deny list.

Delete Sessions Privilege
The ability to delete sessions is defined by these lists. Only sessions from the domains in the Allow list and not in the Deny list can be deleted by the administrator in this role.

S/Key Generation Policy

Use this checkbox to allow or deny privilege for those in the role to generate S/Key pass phrases on behalf of others, including themselves. Great care should be exercised in granting this privilege since a user with this privilege could invalidate another user's pass phrase by creating a new list. Therefore, the granting of this privilege should be limited to Domain Administrators and above.

User Policy

The Access list shows the URLS that can be accessed by a user. The Deny list shows the URLs to which the user is denied access. The Deny list has precedence over Allow list. The wildcard character `*' in the Allow or Deny list has the meaning of all. The URL entered must be a prefix match starting with either "http://" or "https://."

For example, entering "http://*.company1.com" in the Deny list and "*" in the Allow list enables a user to access all URLs except those in the company1.com domain. Entering "http://myhost.company1.com/privatedoc.html" in the Deny list and "http://*.mycompany.com" in the Allow list enables the user to access all URLs in the mycompany.com domain except the HTML page in the Deny list.

The default for this privilege is to enable access to all URLs.

User policy for URL access is enforced at the iPlanet Portal Server gateway.

Miscellaneous

Policy-related privileges for applications developed using the iPlanet Portal Server API are listed here. See the iPlanet Portal Server 3.0 Programmer's Reference Guide for more information.

ADMIN and USER Permissions

Use the check boxes in the ADMIN and USER Permissions section of the Policy page to modify read and write permissions of the policy, that is, to grant or take away the ability to view or change a policy. The default for Admin read and write permissions is both enabled. The default for User read and write permissions is read enabled and write disabled.

The Super Administrator has read and write permissions to all attributes in the platform.