Contents
|
Policies
Policies are configured using the Identity Management interface.
This interface provides a means for the Top-level administrator or Top-level policy administrator to view, create, delete and modify policies for a specific service that can be used across all organizations and for an organization or suborganization administrator to view, create, delete and modify policies for specific use by the organization.
In general, policy is created at the organization (or suborganization) level to be used throughout the organization’s tree.
This topic contains the following sections:
Types of Polices
There are two types of policy that can be configured using Identity Server: a normal policy or a referral policy.
A normal policy consists of rules, subjects and conditions. A referral policy consists of rules and referrals to organizations.
Normal Policy
In Identity Server, a policy that defines access permissions is referred to as a normal policy. A normal policy consists of rules, subjects and conditions.
A rule consists of a resource, and one or more sets of an action and a value. A resource defines the object that is being protected; an action is the name of an operation that can be performed on the resource and a value defines the permission.
Policies are not assigned to identities. Instead, subjects are assigned to policies. A subject is the identity object to which the policy is assigned and applied.
A condition defines the situations in which a policy is applicable. For example, a 7 am to 10 am condition in a policy means that the policy is applicable only from 7 am to 10 am.
Referral Policy
An administrator might typically need to delegate one organization’s policy definitions and decisions to another organization. (Alternately, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of one or more rules and one or more referrals. A rule defines the resource whose policy evaluation is being referred. The referral defines the organization to which the policy evaluation is being referred.
There are two types of referrals bundled with Identity Server: peer organization and suborganization. They delegate to an organization on the same level and an organization on a sub-level, respectively.
Creating Policies
Policies are created through the Identity Management interface.
- Navigate to the Identity Management interface.
- Choose the organization for which you would like to create a policy.
Ensure that the location of the Policy Management window is correct for your organization.
- Choose Policies from the View menu.
By default, the Organizations view is visible in the View menu. All suborganizations configured, if any, will be visible below it. If creating policies for a suborganization, choose the suborganization and then choose Policies from the View menu.
- Click New in the Navigation frame. The New Policy window opens.
- Select the type of policy, normal or referral, that you wish to create.
If a referral policy that refers to a suborganization does not exist, you will not be able to create any polices for that suborganization.
It is not necessary to define all of the fields for normal or referral policies at this time. You may create the policy, then add rules, subjects, referrals, and so forth, later.
- Type a name for the policy and click OK.
- By default, the General view is displayed.
The General view displays the name of the policy and allows you to enter a description of the policy that is to be created.
- Click Save to complete the policy’s configuration.
Modifying Policies
Once a normal or referral policy is created, you can modify the rules, subjects, conditions and referrals.By default, the General view is displayed. The attributes contained in the General view are described in Creating Policies.
Contents |