Contents    

To Add Subjects

Subjects define the subject to which the policy will apply.

  1. To define the subject for the policy, select Subject from the View menu and click New.
  2. Select one of the default subject types:
  3. Authenticated Users. This subject type implies that any user with a valid SSOToken is a member of this subject.

    Access Manager Roles. This subject type implies that any member of an Access Manager role is a member of this subject. An Access Manager role is created using Access Manager. These roles have object classes mandated by Access Manager. Access Manager roles can only be accessed via the hosting Access Manager Policy Service. Evaluating membership in Access Manager roles will be faster as it accesses the Access Manager SDK and cache.

    LDAP Groups. This subject type implies that any member of an LDAP group is member of this subject.

    LDAP Roles. This subject type implies that any member of an LDAP role is a member of this subject. An LDAP Role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.

    LDAP Users. This subject type implies that any LDAP user is a member of this subject.

    Organization. This subject type implies that any member of the organization in which the policy is created is a member of this subject.

    Web Services Client. This subject type implies that a web service client (WSC) identified by the SSOToken is a member of this subject, if the DN of any principal contained in the SSOToken matches any selected value of this subject. Valid values are the DNs of trusted certificates in the local JKS keystore, which correspond to the certificates of trusted WSCs. This subject has dependency on the Liberty Web Services Framework and should be used only by Liberty Service Providers to authorize WSCs.

    Click Next to continue.

  4. Enter a name for the subject.
  5. Select or deselect the Exclusive field.
  6. If this field is not selected (default), the policy applies to the identity that is a member of the subject. If the field is selected, the policy applies the identity that is not a member of the subject.

    If multiple subjects exist in the policy, the policy applies to the identity when at least one of the subjects implies that the policy applies to the given identity.

  7. Perform a search in order to display the identities to add to the subject. This step is not applicable for the Authenticated Users subject or Web Services Client subjects.
  8. The default (*) search pattern will display all qualified entries.

  9. Select the individual identities you wish to add for the subject, or click Add All to add all of the identities at once. Click Add to move the identities to the Select List Box. This step is not applicable for the Authenticated Users subject or Web Services Client subjects.
  10. Click Finish.
  11. The subject’s names, type and exclusive status are displayed in the table in the Subjects view. Click Save.
  12. To remove a subject from a policy, select the subject and click Delete, then Save.

    You can edit any subject definition by clicking on the Edit link next to the subject name.


Contents