25.7 Defining Authorization Policies for Specific Resources

Each resource assigned to an Application Domain can be protected by only one authorization policy.

In an automatically generated Application Domain, the following authorization policies are seeded as defaults:

• Protected Resource

• Public Resource

See Also:

"Understanding Application Domain and Policy Management"

After adding resource definitions to the Application Domain, Administrators can begin refining a default authorization policy, adding a new policy, and adding resources to authorization policies. This section provides the following topics:

• Authorization Policies for Specific Resources

• Creating an Authorization Policy and Specific Resources

• Searching for an Authorization Policy

• Viewing or Editing an Authorization Policy and Resources

• Deleting an Entire Authorization Policy

25.7.1 Authorization Policies for Specific Resources

Administrators can create an authorization policy to protect access to one or more resources based on attributes of an authenticated user or the environment. The authorization policy provides the sole authorization protection for resources included in the policy. Authorization policies are local, which means that each policy applies only to the resources specified for the policy. A policy cannot be derived or applied to any other resource.

A single policy can be defined to protect one or more resources in the Application Domain. However, each resource can be protected by only one authorization policy.

Figure 25-15 shows the Authorization Policy page within an Application Domain. The resources assigned to this policy are displayed on the Resources tab of the policy.

Figure 25-15 Sample Individual Authorization Policy Page

Description of "Figure 25-15 Sample Individual Authorization Policy Page"

Table 25-10 describes authorization policy elements. The elements are the same regardless of the domain; only the details will differ.

Table 25-10 Authorization Policy Elements and Descriptions

Element	Description
Name	A unique name used as an identifier in the navigation tree.
Description	Optional unique text that describes this authorization policy.
Success URL	The redirect URL to be used upon successful authorization.
Failure URL	The redirect URL to be used if authorization fails.
Summary	General information (usually Name and optional Description).
Resources	One or more previously-defined resource URLs to be protected by this authorization policy.
Conditions	See Also "Introduction to Authorization Policy Rules and Conditions".
Rules	See Also "Introduction to Authorization Policy Rules and Conditions".
Responses	See Also "Introduction to Policy Responses for SSO".

25.7.2 Creating an Authorization Policy and Specific Resources

Users with valid Administrator credentials can add an authorization policy to an Application Domain.

Prerequisites

Any resource to be added to a policy must be defined within the same Application Domain as the policy.

See Also:

"Authorization Policies for Specific Resources"

To create an authorization policy and resources

1. Locate the desired domain as described in "Searching for an Existing Application Domain".
2. Click the Authorization Policies tab, then click the Create button to open a fresh page.
3. Summary Tab: Add your information to the Summary tab (Table 25-10).
4. Add Resources: The Resource must be defined in the Application Domain before you can add the resource to a specific policy.

   • Click the Resources tab on the Authorization Policy page.

   • Click the Add button on the Resources tab.

   • Click the Search button.

   • Click a URL in the Results table, then click Add Selected.

   • Repeat these steps to add more resources.

5. Click Apply to save changes and close the Confirmation window.
6. Responses: Add policy Responses as described in "Adding and Managing Policy Responses for SSO".
7. Conditions: Add authorization conditions, as described in "Defining Authorization Policy Conditions".
8. Rules: Add authorization rules, as described in "Defining Authorization Policy Rules".
9. Close the page when you finish.

25.7.3 Searching for an Authorization Policy

Users with valid Administrator credentials can locate a specific authorization policy.

To search for an authorization policy

1. Locate the desired domain as described in "Searching for an Existing Application Domain".
2. Click the Authorization Policies tab and:

   • Edit: See "Viewing or Editing an Authorization Policy and Resources".

   • Delete: "Deleting an Entire Authorization Policy".

   • Detach Table: Click Detach in the tool bar to expand the table to a full page.

   • View Menu: Select a menu item to alter the appearance of the results table.

25.7.4 Viewing or Editing an Authorization Policy and Resources

Users with valid Administrator credentials can view or modify an authorization policy within an Application Domain.

See Also:

"Authorization Policies for Specific Resources"

To view or edit an authorization policy

1. Locate the desired domain as described in "Searching for an Authorization Policy".
2. Summary: Edit as needed (Table 25-10):
3. Resource: Click the Resources tab and add or delete resources as needed:

   • Add: Click the Add button on the Resources table, click a URL in the list, click Apply.

   • Delete: Click a URL in the Resources table, click the Delete button on the table then confirm.

4. Click Apply to submit changes and close the Confirmation window (or close the page without applying changes).
5. Conditions: See "Viewing, Editing, or Deleting Authorization Policy Conditions".
6. Rules: See "Defining Authorization Policy Rules".
7. Responses: See "Viewing, Editing, or Deleting a Policy Response for SSO".
8. Close the page when you finish.

25.7.5 Deleting an Entire Authorization Policy

Users with valid Administrator credentials can delete an authorization policy or simply delete resources within the policy.

Note:

During a Delete operation, you are alerted to confirm removal of the policy. Confirmation is required to complete the operation.

When you remove the entire policy, all resource definitions remain within the Application Domain. However, the authorization policy and the conditions and rules governing access are eliminated.

To simply alter an element in the policy see "Viewing or Editing an Authentication Policy".

See Also:

"Authorization Policies for Specific Resources"

Prerequisites

Assign resources governed by this policy to another authorization policy, either before or after deleting the policy.

To delete an authorization policy

1. Locate the desired domain as described in "Searching for an Authorization Policy".
2. Optional: Double-click the policy name to review its content, and then close the page when finished.
3. Delete: Click the policy name, and then click the Delete button in the tool bar.
4. In the Confirmation window, click Delete (or click Cancel to dismiss the window).
5. Confirm that the policy is no longer listed in the navigation tree.