1.3 Managing Policies

  1. In the Administration Console, click Policies > Policies.

  2. In the Policy Container drop-down list, select the container.

    If you have not created any containers, only the Master_Container is available in the list.

  3. You can perform the following tasks from this page:

1.3.1 Creating Policies

Before creating policies, you need to design your policy strategy. For example, if you are going to use role-based access, you need to decide which roles you need and which roles allow access to your protected resources. Roles, which are used by Authorization policies that grant and deny access, need to be created first. If you have already created the roles and assigned them to users in your LDAP user store, you can use the values of your role attributes in the Authorization policies rather than using Access Manager roles.

To create a policy, see the following sections:

1.3.2 Sorting Policies

Policies can be sorted by name and by type. On the Policies page, click Name in the Policy List, and the policies are sorted alphabetically by name. To sort alphabetically by type, click Type in the Policy List.

You can also use containers to organize your policies. For more information, see Section 1.4, Managing Policy Containers.

1.3.3 Deleting Policies

A policy cannot be deleted as long as a resource is configured to use the policy. For Access Gateway and J2EE Agent policies, this means that you must remove the policy from all protected resources.

Roles can be used by Authorization, Form Fill, and Identity Injection policies. Before you can delete a Role policy, you must remove any reference to the role from all other policies.

1.3.4 Renaming or Copying a Policy

Copy: To copy a policy, select a policy, click Copy, then click OK. The new policy is named “Copy of ...” This is useful when you are creating multiple policies that require only minor variations to make them unique. You should rename the policy after making these modifications.

Rename: To rename a policy, select a policy, click Rename, specify a new name, then click OK.

1.3.5 Importing and Exporting Policies

Policies that are created in the Administration Console can be exported and used in another Administration Console that is managing a different group of Access Gateways and other devices. Each policy type has slightly different import requirements. See the following:

1.3.6 Creating the SSL VPN Default Policy

To create the default policy that the SSL VPN server uses, click the Create SSL VPN Default option. This option creates an Identity Injection policy that is used to set up single sign-on with the SSL VPN server. After you have created this policy, this option is no longer available.

1.3.7 Refreshing Policy Assignments

If you have made changes in policy assignments that are not reflected on the page, click Refresh References. This action can take a while to complete if you have numerous policies and have assigned them to protect numerous resources. The Administration Console needs to verify the configuration of each device.

1.3.8 Viewing Policy Information

The Policy List table displays the following information about each policy.

Column

Description

Name

Displays the name of the policy. To modify a policy, click its name.

Type

Specifies the type of policy (Authorization, Identity Injection, Roles, or Form Fill) and the type of resource that can use it (Identity Server, Access Gateway, or J2EE Agent).

Used By

Displays the name of the Access Gateway, the Identity Server configuration, or the J2EE Agent that the policy is assigned to. If the policy is unassigned, this column has no value.

If the policy is assigned to a protected resource, click the down-arrow button to view the names of the resources it has been assigned to.

Extensions Used

Specifies whether the policy uses any extensions. If none has been used, this column has no value.

Description

Displays a description of the policy. If no description has been specified, this column has no value.