Use the Policy Editor on the appliance
local management interface to create and configure an access control
policy.
Before you begin
Each policy is a combination of attributes, obligations or
authentications, and a risk profile.
Before you create an access
control policy:
- Ensure that the attributes and obligations you want to use in
the policy are defined and available in the local management interface:
- Ensure that the risk profile you want to use is set as active.
See Managing risk profiles.
About this task
The
Policy Editor page has several sections:
- Name and description
- Specify a unique name for the policy and optionally include a
description of the policy.
- Subjects
- Optionally specify one or more subjects to which the policy applies.
Subjects can be anything in the Subject part of an access request.
For example, use this field to specify that the policy applies to
subjects who are members of the SystemAdministrators group.
Click Add Subject to add subjects
to the policy. Click to
remove a subject from the policy. By specifying subjects, you can
ensure that the policy rules are evaluated only if they match at least
one of the specified subjects.
- Rules
- The Rules section has several settings:
- Precedence
- Specify an access action to take on the policy.
- Deny
- If any rule in the policy returns deny, the policy returns deny.
- Permit
- If any rule in the policy returns permit, the policy returns permit.
- First
- Access is permitted or denied based on the outcome of first rule
in the policy that can be evaluated against the access request. The
rules in the policy are evaluated in the same order they are listed.
The policy returns Not Applicable if none of
the rules evaluates to true. To ensure that either a Permit or Deny
decision is returned, include in the policy a Permit or Deny rule
that does not contain a condition.
- Attributes
- When a policy is evaluated, the runtime will attempt to retrieve
the values for all attributes that are specified in the policy. Attributes
that are not found in the incoming request are considered missing.
The Attributes setting controls how missing
attributes are handled.
- Optional
- If Attributes is set to Optional,
then all attributes specified in the Rule section of the policy are
considered optional. With this setting, missing attributes are treated
as empty sets and evaluated against the expression. In most cases,
a missing attribute will cause the rule expression to return false.
- Required
- If Attributes is set to Required,
then all attributes specified in the Rule section of the policy are
considered required. With this setting, missing attributes are considered
an error and will return a decision of Indeterminate when the rule
is evaluated. Indeterminate results often cause the access request
to be denied.
- Add Rule
- Click the Add Rule drop-down arrow and
select either:
- Conditional rule: This type of rule contains
one or more conditions and an action. Rules are boolean expressions
that are applied to a set of context attributes that are passed in
the context object of the decision request. Each rule has an If statement
and a Then statement. The If statement
specifies the conditions that are checked when an access request is
received. The Then statement specifies the action
to take when the rule conditions are true.
- Unconditional rule: This type of rule contains
only an action and no conditions.
The rule actions are:
- Permit
- The request must be permitted to pass.
- Permit with Obligation
- A specific action must take place before the request is permitted
to pass. Specify the action in the adjacent field.
- Permit with Authentication
- A specific authentication action must take place before the request
is permitted to pass. Specify the authentication policy
in the adjacent field. For more information about authentication
policies, see Authentication policies.
- Deny
- The request must be denied and not permitted to pass.
- Deny with Obligation
- The request is denied and an obligation is processed.
Procedure
- Log in to the local management interface.
- Click .
- Under Policy, click Access
Control.
- In the center panel, click .
- In the Name field, type a unique
name for the policy.
Note: The name must begin with an
alphabetic character. Do not use control characters, leading and trailing
blanks, and the following special characters ~ ! @ # $ % ^ & *
( ) + | ` = \ ; : " ' < > ? , [ ] { } / anywhere in the name.
- Optional: In the Description field,
type a description for the policy.
- Optional: Specify subjects to which the policy
applies.
- Click Add Subject.
- In the first box, select a subject attribute. Begin
typing the name of the subject to filter the list.
- In the second box, select an operator.
- In the third box, type a value.
For example, if you want the rule to be evaluated only if
the access requestor belongs to the SecurityAdministrator group,
specify the following selections:- Parameter
- groups
- Operator
- =
- Value
- SecurityAdministrator
Note: If your LDAP root DN is secauthority=default,
you can only use the = (equal) operator in
policies that use X.500 names userDN and groupsDN.
To specify more subjects, click Add Subject.
- In the Rule section, add one or more rules.
- For Precedence, select the access
action to take for the policy:
- For Attributes, select the attribute
usage of the policy.
- To add a rule
to the policy, click the Add Rule drop-down
arrow and choose one of the following:
- Conditional rule: This type of rule contains
one or more conditions and an action.
- Unconditional rule: This type of rule contains
no conditions.
- If you create an unconditional rule, continue with step 8.h.
- If you are creating a Conditional rule, select whether
the rules apply if All conditions are true
or if Any of the conditions are true.
- Create a rule by typing or selecting a parameter, operator,
and value. To specify a value in the value field, click
the drop-down menu on the right and select either Enter
Value or Select Attribute.
- Take one of the following actions:
- Click ! to add a NOT operator to the expression.
If the expression already has a NOT operator, clicking ! removes
the operator.
- Click + to add another expression. The
new expression is added below the preceding expression.
- Click - to remove an expression.
- Click () to create a parenthetical expression.
Select the appropriate attributes, operators, and values for the expression.
Or, add more expressions to the group. The new expression is added
below the preceding expression.
- Specify the action to take when the rule
evaluation is completed.
- Click OK when the rule is complete.
- To add another rule to the policy, repeat step 8.c.
- If your policy has more than one rule, you can change
the sequence of the rules by selecting a rule and clicking or .
Note: The sequence of the
rules is important if you have selected First as
the action for the policy.
- Click Save when the policy is complete.
What to do next
Attach the policy to a resource. See
Managing access control policy attachments.