Previous Contents Index Next |
Sun ONE Identity Server Administration Guide |
Chapter 6 Policy Management
This chapter describes the policy service management features of Sun ONE Identity Server. Policy management provides a way to view, manage and configure all Identity Server policies.
This chapter contains the following sections:
What is a Policy?
What is a Policy?
Every business has a need to protect its resources. This is done by configuring and managing rules that define who can do what to which resource. The Identity Server Policy Service enables an organization to set up these rules or policies.
A policy defines permissions that allow an administrator to assign security levels based on an organization's needs and the conditions created within the policy. This policy, when possessed by an object, defines which resources within an organization that the object is able to access. A single policy can define either binary or non-binary decisions. A binary decision is yes/no, true/false or allow/deny; most policies are of this type. A non-binary decision represents the value of an attribute. For example, a mail service might include a mailboxQuota attribute with a maximum storage value set for each user. A policy service administers this restriction ensuring that each user's quota is not exceeded. In general, a policy is configured to define what an object can do to which resource and under what conditions.
Identity Server ships with one policy service, the URL Policy Agent, and one sample mail service. For more information on the sample mail service and writing new policy schema, see the Sun One Identity Server Programmer's Guide.
Policy Types
There are two types of policy that can be configured using Identity Server: a normal policy or a referral policy. A normal policy consists of rules, subjects and conditions. A referral policy consists of rules and referrals to organizations.
Normal Policy
In Identity Server, a policy that defines access permissions is referred to as a normal policy. A normal policy consists of rules, subjects and conditions.
A rule consists of a resource, and one or more sets of an action and a value. A resource defines the object that is being protected; an action is the name of an operation that can be performed on the resource and a value defines the permission.
Policies are not assigned to identities. Instead, subjects are assigned to policies. A subject is the identity object to which the policy is assigned and applied.
A condition defines the situations in which a policy is applicable. For example, a 7 am to 10 am condition in a policy means that the policy is applicable only from 7 am to 10 am.
Referral Policy
An administrator might typically need to delegate one organization's policy definitions and decisions to another organization. (Alternately, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of one or more rules and one or more referrals. A rule defines the resource whose policy evaluation is being referred. The referral defines the organization to which the policy evaluation is being referred.
There are two types of referrals bundled with Identity Server: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively. See "Creating Policies for Peer and Suborganizations" for more information.
Policy Management
You can create, delete, and modify policies through the Policy API, through the amadmin command line tool, and through the Identity Server console.
This chapter focuses on creating policies through the console.For more information on amadmin, see The amadmin Command Line Tool. For more information on the Policy API, see the "Policy Service" chapter in the Sun One Identity Server Programmer's Guide.
Policies are configured using the Identity Management interface. This interface provides a means for:
The Top-Level Administrator to view, create, delete and modify policies for a specific service that can be used across all organizations.
An organization or suborganization administrator to view, create, delete and modify policies for specific use by the organization. In general, policy is created at the organization (or suborganization) level to be used throughout the organization's tree.
Figure 6-1   Policy View
Registering Policy Configuration Services
Registering a policy configuration service is the same as registering any type of service; it is done within the Identity Management interface. By default, the Policy Configuration service is automatically registered to the top-level organization. Any policy service you create must be registered to all organizations. To register a policy configuration service:
Navigate to the Identity Management interface.
Choose the organization for which you would like to create policy.
If logged in as the Top-Level Administrator, make sure that the location of the Identity Management module is the top-level organization where all configured organizations are visible. The default top-level organization is defined during installation.
Choose Services from the View menu.
Click Register in the navigation pane.
From the Register Services window, opened in the Data pane, choose Policy Configuration and click register.
Configure the policy service by clicking the Properties arrow. If the policy template has not yet been configured, you will need to create a service template for the newly registered policy service.
To configure the policy service, click Create. Modify the Policy Configuration attributes. See "Policy Configuration Attributes" for a description of these attributes. Click Save.
The policy configuration service is now registered to the chosen organization.
Creating Policies
Policies are created through the Identity Management interface. To create a policy:
Navigate to the Identity Management interface.
Choose the organization for which you would like to create a policy.
Choose Policies from the View menu.
By default, the Organizations view is visible in the View menu. All suborganizations configured, if any, will be visible below it. If creating policies for a suborganization, choose the suborganization and then choose Policies from the View menu.
Click New in the navigation pane. The New Policy window opens.
Select the type of policy, normal or referral, that you wish to create.
If a referral policy that refers to a suborganization does not exist, you will not be able to create any polices for suborganizations. For more information, see "Creating Policies for Peer and Suborganizations".
It is not necessary to define all of the fields for normal or referral policies at this time. You may create the policy, then add rules, subjects, referrals, and so forth, later. For information on configuring normal and referral policies, see "Modifying Policies".
Type a name for the policy and click Next.
By default, the General view is displayed.
The General view displays the name of the policy and allows you to enter a description of the policy that is to be created.
Click Create to complete the policy's configuration.
Modifying Policies
Once a normal or referral policy is created, you can modify the rules, subjects, conditions and referrals.
From the Identity Management interface, select Policies from the View menu.
Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data pane.
Modify a Normal Policy
Through the Identity Management interface, you can create a policy that defines access permissions. Such a policy is referred to as a normal policy. A normal policy can consist of multiple rules, subjects, and conditions. This section lists and defines the default fields that you can specify when creating a normal policy.
Adding Rules
Rules define the resource, actions and action values of the policy. To add rules to a normal policy:
From the Identity Management interface, select Policies from the View.
Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data pane.
To define rules for the policy, select Rules from the View menu and click Add.
If more than one policy service exists, they will be listed in the Navigation pane. Choose the policy service for which you wish to create a policy and click Next. The Add Rule window is displayed.
Define the resource, actions and action values in the Rules fields.
The fields are:
Click Create to save the rule.
Repeat steps 1 - 5 to create additional rules.
All of the rules created for that policy are displayed in the table in the Rules view. Click Save to add the rules to the policy.
Adding Subjects
Subjects define the subject to which the policy will apply. To add subjects to a policy:
To define the subject for the policy, select Subject from the View menu and click Add.
Select one of the default subject identities:
Enter a name for the subject. Click Add.
Perform a search in order to display the identities to add to the subject.
Select the identities that you wish to add for the subject and click Create.
All of the subjects created for that policy are displayed in the table in the Subjects view. Select the subjects that you wish to add to the policy and click Save.
Adding Conditions
Conditions allows you to define constraints on the policy. For example, if you are defining policy for a paycheck application, you can define a condition on this action limiting access to the application only during specific hours. Additionally, you may wish to define a condition that only grants this action if the request originates from a given set of IP addresses or from a company intranet. To add conditions to a normal policy:
To define conditions for the policy, select Conditions from the View menu. Click Add to add a new condition, or click the Edit link to edit an existing condition.
Select one of the following default conditions:
Define the values for a given condition in the Rules fields. The fields are:
Authentication Level
The authentication level value indicates how much to trust authentications.
Authentication Scheme
This field allows you to choose from the pull-down menu the authentication scheme for the condition.
IP Address
This field allows you to specify the range of the IP address
Time
This field allows you to specify the range of time within a day.
This field allows you specify a timezone, either standard or custom.
Once you have defined the condition, click Create.
All of the conditions created for that policy are displayed in the table in the Conditions view. Select the conditions that you wish to add to the policy and click Save.
Modify a Referral Policy
Through the Identity Management interface you can delegate an organization's policy definitions and decisions to another organization. (You can also delegate policy decisions for a resource to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of a rule and the referral itself. If the policy service contains actions that do not require resources, referral policies cannot be created for suborganizations.
Adding Rules
Rules define the resource of the policy. To add rules to a referral policy:
To define rules for the policy, select Rules from the View menu. Click Add to add a new rule, or click the Edit link to edit an existing rule.
Define the resource in the Rules fields. The fields are:
Click Create to save the rule.
Repeat steps 1 - 3 to create additional rules.
All of the rules created for that policy are displayed in the table in the Rules view. Select the rules that you wish to add to the policy and click Save.
Adding Referrals
The referral defines the organization to which the policy evaluation is being referred. By default, there are two types of referrals: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively.
To define referrals for the policy, select Referrals from the View menu. Click Add to add a new referral, or click the Edit link to edit an existing referral.
Define the resource in the Rules fields. The fields are:
Click Create to save the referral.
Creating Policies for Peer and Suborganizations
In order to create policies for peer or suborganizations, you must first create a referral policy in the parent (or another peer) organization. The referral policy must contain, in its rule definition, the resource prefix that is being managed by the suborganization. Once the referral policy is created in the parent organization (or another peer organization), normal policies can be created at the suborganization (or peer organization).
The Identity Server policy framework does not allow the creation of referral policies if the action name does not contain resource names. In other words, if the action does not include any resource names, policies can only be created under the root organization, not under the suborganization.
In this example, o=isp is the parent organization, o=sun.com is the suborganization and manages resources and sub-resources of http://www.sun.com. To create a policy for this suborganization, follow these steps:
Create a referral policy at o=isp. For information on referral policies, see the procedure "Modify a Referral Policy".
The referral policy must define http://www.sun.com as the resource in the rule, and must contain a SubOrgReferral with sun.com as the value in the referral.
Go to the Organization view and navigate to the suborganization sun.com.
Ensure that the policy configuration service is registered at the suborganization level, sun.com. For information, see "Registering Policy Configuration Services".
Now that the resource is referred to sun.com by isp, normal policies can be created for the resource http://www.sun.com, or for any resource starting with http://www.sun.com.
See the procedure "Modify a Normal Policy" for information on creating normal policies.
To define policies for other resources managed by sun.com, additional referral policies must be created at isp.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 04, 2002