Contents
|
To Add Rules
Rules define the resource, actions and action values of the policy.
- From the Identity Management interface, select Policies from the View.
The policies that were created for that organization are displayed.
- Choose the policy you wish to modify and click the Properties arrow. The Edit Policy window is opened in the Data frame.
By default, the General view is displayed.
- To define rules for the policy, select Rules from the View menu and click New.
If more than one service exists, they will be listed in the Data frame. Choose the service for which you wish to create a policy and click Next. The New Rule window is displayed.
- Define the resource, actions and action values in the Rules fields. The fields are:
Type. Displays the service for the policy to be created. The default is URL Policy Agent.
Rule Name. Enter the name of the rule.
Resource Name. Enter the name of a resource. For example:
http://www.example.com
Currently, Policy Agents only support http:// and https:// resources and do not support IP addresses in place of the hostname.
Wildcards are supported for resource names, port number and protocol. For example:
http*://*:*/*.html
For the URL Policy Agent service, if a port number is not entered, the default port number is 80 for http://, and 443 for https://.
To allow the management of resource for all servers installed on a specific machine, you can define the resource as http://host*:*. Additionally, you can define the following resource to grant an administrator to a specific organization authority for all of the services in that organization:
- http://*.subdomain.domain.topleveldomain
Select Actions. For the URL Policy Agent Service, you can select either or both of the following default actions:
Denial rules always take precedence over allow rules in a policy. For example, if you have two policies for a given resource, one denying access and the other allowing access, the result is a deny access (provided that the conditions for both policies are met). It is recommended that deny policies be used with extreme caution as they may lead to potential conflicts between the policies. Typically, the policy definition process should only use allow rules, and use the default deny when no policies apply to accomplish the deny case.
If explicit deny rules are used, policies that are assigned to a given user through different subjects (such as role and/or group membership) may result in denied access to a resource even if one or more of the policies allow access. For example, if there is a deny policy for a resource applicable to an Employee role and there is another allow policy for the same resource applicable to Manager role, policy decisions for users assigned both Employee and Manager roles would be denied.
One way to resolve such problems is to design policies using Condition plug-ins. In the case above, a “role condition” that applies the deny policy to users authenticated to the Employee role and applies the allow policy to users authenticated to the Manager role helps differentiate the two policies. Another way could be to use the authentication level condition, where the Manager role authenticates at a higher authentication level. See "To Add Conditions" for more information.
- Click Finish to save the rule. This only saves the configuration in memory. Follow step 8 to complete the process.
- Repeat steps 1 through 5 to create additional rules.
- All of the rules created for that policy are displayed in the table in the Rules view. Click Save to add the rules to the policy.
To remove a rule from a policy, select the rule and click Remove.
You can edit any rule definition by clicking on the Edit link next to the rule name.
Contents |