The Policy Service authorizes access to a user based on policies created and stored in the OpenSSO Enterprise configuration data store. The following sections contain information on the two configurations that can be created using the Policy Service.
For more information, see Chapter 4, Managing Policies, in Sun OpenSSO Enterprise 8.0 Administration Guide.
A policy (referred to as a normal policy in previous releases) specifies a protected resource and who is allowed to access it. The protected resource can be anything hosted on a protected server. Examples of protected resources are applications, document files, images, or the server itself. A normal policy consists of rules, subjects, conditions, and response providers. The following sections contain information on these elements.
A rule defines the policy itself by specifying a resource, one or more sets of an action, and values for each action.
A resource defines the specific object that is being protected. Examples of protected objects are an HTML page on a web site, or a user’s salary information accessed using a human resources service.
An action is the name of an operation that can be performed on the resource. Examples of web page actions are POST and GET. An allowable action for a human resources service might be canChangeHomeTelephone.
A value defines the permission for the action. Examples are allow anddeny.
A subject specifies the user or collection of users that the policy affects. The following list of subjects can be assigned to policies.
The identities you create and manage under the Subjects tab in a configured realm can be added as a value of the subject.
Any user with a valid session (even if they have authenticated to a realm that is different from the realm in which the policy is defined) is a member of this subject. This is useful if the resource owner would like to allow access to users from other organizations. To restrict a resource's access to members of a specific organization, use the Organization subject.
This implies that a web service client (WSC) identified by a session token identifier is a member of this subject — as long as the distinguished name (DN) of any principal contained in the session token identifier matches any selected value of this subject.
The following list of subjects can only be specified after they are selected using the Policy Configuration Service of the appropriate realm.
Any member of a OpenSSO Enterprise role is a member of this subject. A OpenSSO Enterprise role is created using OpenSSO Enterprise running in legacy mode. These roles have object classes mandated by OpenSSO Enterprise and can only be accessed through the hosting OpenSSO Enterprise Policy Service.
This subject can be used when connected to an AMSDK data store.
Any member of an LDAP group can be added as a value of this subject.
Any LDAP role can be added as a value of this subject. An LDAP Role is any role definition that uses the Sun Java System Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.
Any LDAP user can be added as a value of this subject.
Any member of a realm is a member of this subject.
A condition specifies additional constraints that must be satisfied for a policy be applicable. For example, you can define a condition to limit a user’s network access to a specific time period. The condition might state that the subject can access the network only between 7:00 in the morning and 10:00 at night. OpenSSO Enterprise allows for the following list of conditions.
Sets a condition based on constraints configured for user session time such as maximum session time.
The policy is applicable if the user has successfully authenticated to the authentication chain in the specified realm. If the realm is not specified, authentication to any realm at the authentication chain will satisfy the condition.
The Authentication Level attribute indicates the level of trust for authentication. The policy is applicable if the user's authentication level is greater than or equal to the Authentication Level set in the condition, or if the user's authentication level is less than or equal to the Authentication Level set in the condition, depending on the configuration.
The policy applies if the user has successfully authenticated to the authentication module in the specified realm. If the realm is not specified, authentication to any realm at the authentication module will satisfy the condition.
Sets a condition based on a range of IP Addresses, or a DNS name.
Decides whether a policy is applicable to the request based on values set in the user's OpenSSO Enterprise session.
The policy is applicable when the defined LDAP filter locates the user entry in the LDAP directory that was specified in the Policy Configuration service.
The policy applies if the user has authenticated to the specified realm.
Sets the condition based on time constraints (time, day, date, time zone).
Response providers are plug-ins that provide policy response attributes. Policy response attributes typically provide values for attributes in the user profile. The attributes are sent with policy decisions to the PEP which, in turn, passes them in headers to an application. The application typically uses these attributes for customizing pages such as a portal page. OpenSSO Enterprise includes one implementation of the com.sun.identity.policy.interfaces.ResponseProvider class, the IDResponseProvider. See Chapter 2, Using the Policy Service API, in Sun OpenSSO Enterprise 8.0 Developer’s Guide for more information.
A user with the Top—level Realm Administrator or Policy Administrator roles can create policy. (A Realm Administrator or Policy Administrator configured for a specific realm have permission to create policies only for resources delegated to that realm.) A referral (referred to as a referral policy in previous releases) enables either administrator to delegate policy configuration tasks. A referral delegates both policy creation and policy evaluation, and consists of one or more rules and one or more referrals.
A rule defines the resource of which policy creation or evaluation is being referred.
A referral defines the identity to which the policy creation or evaluation is being referred.
Referrals delegate policy management privileges to another entity such as a peer realm, a sub realm, or even a third-party product. (You can implement custom referrals by using the Policy API.) For example, assume a top-level realm exists named ISP. It contains two sub realms: company1 and company2. The Top-Level Realm Administrator for ISP can delegate policy management privileges so that a Realm Administrator in company1 can create and manage policies only within thecompany1 realm, and a Realm Administrator in company2 can create and manage policies only within the company2 realm. To do this, the Top-Level Realm Administrator creates two referrales, defining the appropriate realm in the rule and the appropriate administrator in the referral. See Chapter 4, Managing Policies, in Sun OpenSSO Enterprise 8.0 Administration Guide for more information.