Creating an access control policy

Use the Policy Editor on the appliance local management interface to create and configure an access control policy.

Before you begin

Each policy is a combination of attributes, obligations or authentications, and a risk profile.

Before you create an access control policy:

  1. Ensure that the attributes and obligations you want to use in the policy are defined and available in the local management interface:
  2. Ensure that the risk profile you want to use is set as active. See Managing risk profiles.

About this task

The Policy Editor page has several sections:
Name and description
Specify a unique name for the policy and optionally include a description of the policy.
Subjects
Optionally specify one or more subjects to which the policy applies. Subjects can be anything in the Subject part of an access request. For example, use this field to specify that the policy applies to subjects who are members of the SystemAdministrators group. Click Add subject Add Subject to add subjects to the policy. Click Remove subject to remove a subject from the policy. By specifying subjects, you can ensure that the policy rules are evaluated only if they match at least one of the specified subjects.
Rules
The Rules section has several settings:
Precedence
Specify an access action to take on the policy.
Deny
If any rule in the policy returns deny, the policy returns deny.
Permit
If any rule in the policy returns permit, the policy returns permit.
First
Access is permitted or denied based on the outcome of first rule in the policy that can be evaluated against the access request. The rules in the policy are evaluated in the same order they are listed. The policy returns Not Applicable if none of the rules evaluates to true. To ensure that either a Permit or Deny decision is returned, include in the policy a Permit or Deny rule that does not contain a condition.
Attributes
When a policy is evaluated, the runtime will attempt to retrieve the values for all attributes that are specified in the policy. Attributes that are not found in the incoming request are considered missing. The Attributes setting controls how missing attributes are handled.
Optional
If Attributes is set to Optional, then all attributes specified in the Rule section of the policy are considered optional. With this setting, missing attributes are treated as empty sets and evaluated against the expression. In most cases, a missing attribute will cause the rule expression to return false.
Required
If Attributes is set to Required, then all attributes specified in the Rule section of the policy are considered required. With this setting, missing attributes are considered an error and will return a decision of Indeterminate when the rule is evaluated. Indeterminate results often cause the access request to be denied.
Add Rule
Click the Add Rule drop-down arrow and select either:
  • Conditional rule: This type of rule contains one or more conditions and an action. Rules are boolean expressions that are applied to a set of context attributes that are passed in the context object of the decision request. Each rule has an If statement and a Then statement. The If statement specifies the conditions that are checked when an access request is received. The Then statement specifies the action to take when the rule conditions are true.
  • Unconditional rule: This type of rule contains only an action and no conditions.
The rule actions are:
Permit
The request must be permitted to pass.
Permit with Obligation
A specific action must take place before the request is permitted to pass. Specify the action in the adjacent field.
Permit with Authentication
A specific authentication action must take place before the request is permitted to pass. Specify the authentication policy in the adjacent field. For more information about authentication policies, see Authentication policies.
Deny
The request must be denied and not permitted to pass.
Deny with Obligation
The request is denied and an obligation is processed.

Procedure

  1. Log in to the local management interface.
  2. Click Secure Mobile Settings.
  3. Under Policy, click Access Control.
  4. In the center panel, click Add policy.
  5. In the Name field, type a unique name for the policy.
    Note: The name must begin with an alphabetic character. Do not use control characters, leading and trailing blanks, and the following special characters ~ ! @ # $ % ^ & * ( )  + | ` = \ ; :  " ' < > ? , [  ] { } / anywhere in the name.
  6. Optional: In the Description field, type a description for the policy.
  7. Optional: Specify subjects to which the policy applies.
    1. Click Add Subject.
    2. In the first box, select a subject attribute. Begin typing the name of the subject to filter the list.
    3. In the second box, select an operator.
    4. In the third box, type a value.
    For example, if you want the rule to be evaluated only if the access requestor belongs to the SecurityAdministrator group, specify the following selections:
    Parameter
    groups
    Operator
    =
    Value
    SecurityAdministrator
    Note: If your LDAP root DN is secauthority=default, you can only use the = (equal) operator in policies that use X.500 names userDN and groupsDN.
    To specify more subjects, click Add Subject.
  8. In the Rule section, add one or more rules.
    1. For Precedence, select the access action to take for the policy:
    2. For Attributes, select the attribute usage of the policy.
    3. To add a rule to the policy, click the Add Rule drop-down arrow and choose one of the following:
      • Conditional rule: This type of rule contains one or more conditions and an action.
      • Unconditional rule: This type of rule contains no conditions.
    4. If you create an unconditional rule, continue with step 8.h.
    5. If you are creating a Conditional rule, select whether the rules apply if All conditions are true or if Any of the conditions are true.
    6. Create a rule by typing or selecting a parameter, operator, and value. To specify a value in the value field, click the drop-down menu on the right and select either Enter Value or Select Attribute.
    7. Take one of the following actions:
      • Click ! to add a NOT operator to the expression. If the expression already has a NOT operator, clicking ! removes the operator.
      • Click + to add another expression. The new expression is added below the preceding expression.
      • Click - to remove an expression.
      • Click () to create a parenthetical expression. Select the appropriate attributes, operators, and values for the expression. Or, add more expressions to the group. The new expression is added below the preceding expression.
    8. Specify the action to take when the rule evaluation is completed.
    9. Click OK when the rule is complete.
    10. To add another rule to the policy, repeat step 8.c.
    11. If your policy has more than one rule, you can change the sequence of the rules by selecting a rule and clicking Move up or Move down.
      Note: The sequence of the rules is important if you have selected First as the action for the policy.
  9. Click Save when the policy is complete.

What to do next

Attach the policy to a resource. See Managing access control policy attachments.
Parent topic: Access control policies
Related reference:
Predefined attributes