An Authorization policy specifies conditions that a user must meet in order to access a resource or to be denied access to a resource. The Access Gateway enforces these conditions.
To create an Authorization policy:
In the Administration Console, click > .
Select the policy container, then click .
Specify a name for the policy, then select for the type of policy.
Fill in the following fields:
Description: (Optional) Describe the purpose of this rule.
Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and the lowest priority is 10. If two rules have the same priority, a Deny rule is applied before a Permit rule.
In the section, click , then select one of the following:
Authentication Contract: Allows you to control access based on the contract the user used for login. For configuration information, see Section 3.6.1, Authentication Contract Condition.
Client IP: Allows you to control access based on the IP address of the client making the request. For configuration information, see Section 3.6.2, Client IP Condition.
Credential Profile: Allows you to control access based on the credentials the user specified during authentication. For configuration information, see Section 3.6.3, Credential Profile Condition.
Current Date: Allows you to control access based on the date of the request. For more information, see Section 3.6.4, Current Date Condition.
Day of Week: Allows you to control access based on the day the request is made. For configuration information, see Day of Week Condition.
Current Day of Month: Allows you to control access based on the month the request is made. For configuration information, see Section 3.6.6, Current Day of Month Condition.
Current Time of Day: Allows you to control access based on the time the request was made. For configuration information, see Section 3.6.7, Current Time of Day Condition.
HTTP Request Method: Allows you to control access based on the request method. For configuration information, see Section 3.6.8, HTTP Request Method Condition.
LDAP Attribute: Allows you to control access based on the value of an LDAP attribute. For configuration information, see Section 3.6.9, LDAP Attribute Condition.
LDAP OU: Allows you to control access based on the value of an LDAP organizational unit. For configuration information, see Section 3.6.10, LDAP OU Condition.
Liberty User Profile: Allows you to control access based on the value of a Liberty attribute. For configuration information, see Section 3.6.11, Liberty User Profile Condition.
Roles: Allows you to control access based on the roles a user has been assigned. For configuration information, see Section 3.6.12, Roles Condition.
URL: Allows you to control access based on the URL in the request. For configuration information, see Section 3.6.13, URL Condition.
URL Scheme: Allows you to control access based on the scheme in the URL of the request (for example, HTTP or HTTPS). For configuration information, see Section 3.6.14, URL Scheme Condition.
URL Host: Allows you to control access based on the hostname in the URL of the request. For configuration information, see Section 3.6.15, URL Host Condition.
URL Path: Allows you to control access based on the path in the URL of the request. For configuration information, see Section 3.6.16, URL Path Condition.
URL File Name: Allows you to control access based on the filename in the URL of the request. For configuration information, see Section 3.6.17, URL File Name Condition.
URL File Extension: Allows you to control access based on the file extension in the URL of the request. For configuration information, see Section 3.6.18, URL File Extension Condition.
X-Forwarded-For IP: Allows you to control access based on the value in the X-Forwarded-For IP header of the HTTP request. For configuration information, see Section 3.6.19, X-Forward-For IP Condition.
Condition Extension: (Conditional) If you have loaded and configured an authorization condition extension, this option specifies a condition that is evaluated by an outside source. This outside source returns either True or False. See the documentation that came with the extension for information about what is evaluated.
Data Extension: (Conditional) If you have loaded and configured an authorization data extension, this option specifies the value that the extension retrieves. You can then select to compare this value with an LDAP attribute, a Liberty User Profile attribute, a Data Entry Field, or another Data Extension. For more information, see the documentation that came with the extension.
To add multiple conditions to the same rule, either add a condition to the same condition group or create a new condition group. For information on how conditions and condition groups interact with each other, see Section 3.1.4, Using Multiple Conditions.
In the section, select one of the following:
Permit: Allows the user to access the resource.
Redirect: Specify the URL to which you want users redirected when they meet the conditions of this policy.
Deny: Select one of the following deny actions:
Display Default Deny Page: Displays a generic message, indicating that the user has insufficient rights to access the resource.
Deny Message: Allows you to provide a customized message that is displayed to users who are denied access.
Redirect to URL: Allows you to specify a URL that users are redirected to when they are denied access. For example:
http://www.novell.com
Action Extension (Permit): Select an action from the list of permit extensions. This action permits access to the resource and performs the additional action that the extension is designed to perform. If an action extension is not available, see Section 1.7, Adding Policy Extensions for information on uploading, configuring, and importing extensions.
Action Extension (Deny): Select an action from the list of deny extensions. This action denies access to the resource and performs the additional action that the extension is designed to perform. If a deny extension is not available, see Section 1.7, Adding Policy Extensions for information on uploading, configuring, and importing extensions.
(Conditional) If you have installed an action obligation extension, you can click in the section, and select the action. This causes the extension to perform whatever action it is designed to perform whenever a user matches the conditions of this rule. This type of action is usually always configured in addition to a permit or deny action. If the obligation option is not available, see Section 1.7, Adding Policy Extensions for information on uploading, configuring, and importing extensions.
To save the rule, click .
To add another rule, click or to save the policy, click , then click .
Assign the policy to a protected resource (see Assigning an Authorization Policy to a Protected Resource
in the NetIQ Access Manager 3.1 SP5 Access Gateway Guide).