| |
After a user has logged in, access control list (ACL) rules control what resources the user can access. By default, the user has access to nothing. Only those resources explicitly listed in your ACL rules (specified by the URL) can be accessed by the organizations, organizational units, groups, or users listed in the Apply To list for the rule. Whenever possible, it is recommended that you use the highest-level object in the list of allowed users, making it easier and faster to configure an ACL rule.
When a user tries to access a protected resource that has been defined as Public, the user is immediately granted access. If the resource is defined as Restricted, the iChain system checks the user's browser cookie address to see if he or she is a currently authenticated user and either lets the user access the resource if the user is authenticated or prompts the user for authentication. A current authenticated connection is all that is required. However, when a user attempts to access a URL that has been defined as Secure, the user must log in to NDS and provide a password. When the user is authenticated, the ACL rules are checked to see if the user is allowed to access the site.
ACL rules allow the use of an asterisk (*) or question mark (?) as wildcard characters when specifying URLs. The asterisk indicates that the user can have access to the folder contents and all subfolders. The question mark indicates the user can have access to the folder contents, but not the subfolders. Also, each ACL rule can be individually disabled or enabled, allowing you to turn on or off a particular rule for a time without losing its parameter settings.
ACL rules are stored in a cache that is updated periodically at a configurable interval. For performance reasons, the recommended cache refresh interval is three to six hours. If you make changes or additions to the ACL rules and want the cache to be updated immediately, use the manual Refresh option available in the Configure > Access Control tabs of the iChain Proxy Services Browser-based administration tool. If you have FTP enabled on the proxy, you can automatically refresh the iChain proxy when prompted by the snap-in.
When you create an entry in the URL list of an ACL rule, at least one of the two fields (Resource Name and URL) is required.
If only the URL is specified, it must be given as an absolute URL (for example, http://www.novell.com/index.html, not /index.html). The URL may contain wildcards. The ACL rule will match any request for the URL (including wildcards).
If only the Resource Name is specified, the ACL rule will match any request for the exact path of the Resource Name. For example, if the protected resource myserver has been defined as http://www.novell.com, and a URL list entry is created with myserver as the Resource Name and with no URL, then the ACL rule will apply to the http://www.novell.com URL only.
If both the Resource Name and the URL are specified, the URL must be given as a relative URL (/index.html, not http://www.novell.com/index.html) and may include wildcards. The ACL rule will match requests for the combined Resource Name and URL, including wildcards. For example, if the Resource Name is myserver and the URL is /documentation/*, then the ACL rule will apply to http://www.novell.com/documentation/*.
To create a new ACL rule for iChain:
From ConsoleOne, select File > New > New Object.
or
Click the New iChain Object icon.
Select ACL Rule > click OK.
Define a name for the rule > click OK.
Select the rule you just created and click Properties > Access Control.
Under the list of Allowed URLs, click Add > define a name and URL for a resource that this rule will control access to.
You can use an asterisk (*) or question mark (?) as a wildcard character when specifying URLs. The asterisk indicates that the user can have access to the folder contents and all subfolders. The question mark indicates the user can have access to the folder contents, but not the subfolders.
Under the Apply To List, click Add to browse to and select the Os, OUs, groups, and users to which this rule applies.
The Os, OUs, groups, and users in the Apply to List are allowed access to the listed URLs.
Under the Exception List, click Add to browse to and select the Os, OUs, groups, and users that are exceptions to this rule.
The Os, OUs, groups, and users in the Exceptions List are a subset of the Apply to List and are objects that are denied access to the listed URLs.
To enable the ACL rule, check the Enable Access Control check box at the General tab.
To disable the ACL rule and save it for later use, uncheck the Enable Access Control check box.
You can exclude certain users or group members listed in the Apply To List that you do not want to have access to the specified URLs. However, these exceptions are made on a per rule basis. So, although a user may be excluded from one rule, he may still have access to the URL through other ACL rules. Double-check all ACL rules for the resource to be sure exceptions are as you expect.
You can also define a subset of the destination URL as an exception for an ACL rule. For example, an ACL rule could be set on http://ichain.novell.com/* for the users in the o=novell container. By using the URL exception feature, an administrator could define http://ichain.novell.com/private/* as a URL exception. iChain access control would then allow the users in the o=novell container to go to all the pages under http://ichain.novell.com/, except http://ichain.novell.com/private/.
| |