Contents    

To Add Subjects

Subjects define the subject to which the policy will apply.

  1. To define the subject for the policy, select Subject from the View menu and click New.
  2. Select one of the default subject types:
  3. Authenticated Users. This subject type implies that any user with a valid SSOToken is a member of this subject.

    Identity Server Roles. This subject type implies that any member of an Identity Server role is a member of this subject. An Identity Server role is created using Identity Server. These roles have object classes mandated by Identity Server. Identity Server roles can only be accessed via the hosting Identity Server Policy Service. Evaluating membership in Identity Server roles will be faster as it accesses the Identity Server SDK and cache.

    LDAP Groups. This subject type implies that any member of an LDAP group is member of this subject.

    LDAP Roles. This subject type implies that any member of an LDAP role is a member of this subject. An LDAP Role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.

    LDAP Users. This subject type implies that any LDAP user is a member of this subject.

    Organization. This subject type implies that any member of the organization in which the policy is created is a member of this subject.

    Web Services Client. This subject type implies that a web service client (WSC) identified by the SSOToken is a member of this subject, if the DN of any principal contained in the SSOToken matches any selected value of this subject. Valid values are the DNs of trusted certificates in the local JKS keystore, which correspond to the certificates of trusted WSCs. This subject has dependency on the Liberty Web Services Framework and should be used only by Liberty Service Providers to authorize WSCs.

    Click Next to continue.

  4. Enter a name for the subject.
  5. Select or deselect the Exclusive field.
  6. If this field is not selected (default), the policy applies to the identity that is a member of the subject. If the field is selected, the policy applies the identity that is not a member of the subject.

    If multiple subjects exist in the policy, the policy applies to the identity when at least one of the subjects implies that the policy applies to the given identity.

  7. Perform a search in order to display the identities to add to the subject. This step is not applicable for the Authenticated Users subject.
  8. The default (*) search pattern will display all qualified entries.

  9. Select the individual identities you wish to add for the subject, or click Add All to add all of the identities at once. Click Add to move the identities to the Select List Box.
  10. Click Finish.
  11. The subject’s names, type and exclusive status are displayed in the table in the Subjects view. Click Save.
  12. To remove a subject from a policy, select the subject and click Delete, then Save.

    You can edit any subject definition by clicking on the Edit link next to the subject name.


Contents