4.3 Configuring the Security Policy Object

A Security Policy object is created in the Security container when you install NMAS. The Security Policy object allows you to create, view, and rename names for clearances, security labels and categories for your NMAS implementation. You can then use these names to assign the security labels to any eDirectory attribute or NetWare volumes. You can also assign clearances to User objects in your eDirectory tree from the user's property page.

4.3.1 Defining User-Defined Categories (Closed User Groups)

You can define secrecy and integrity categories that can be used to create security labels in addition to the three integrity and three secrecy categories (Biometric, Token, Password) that are predefined. For example, Biometric integrity and secrecy categories represent that access to an object is restricted to users logging in with a biometric method.

After you have created a category, you cannot delete it. You can view or rename it.

Creating a New Category Using ConsoleOne

  1. In ConsoleOne, double-click the Security Container > click Security Policy.

  2. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  3. Click Add, then specify a name for the category.

  4. Click OK.

The new category will now be available for use in defining a security label.

Creating a New Category Using iManager

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security Container > Security Policy, then click OK.

  3. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  4. Click Add, specify a name for the category, then click OK.

  5. Click OK or Apply.

Renaming a Category Using ConsoleOne

  1. In ConsoleOne, double-click the Security Container > click Security Policy.

  2. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  3. Select the category you want to rename, then click Rename Category.

  4. Specify the new name, click OK, then click OK or Apply.

Renaming a Category Using iManager

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security Container > Security Policy, then click OK.

  3. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  4. Select the category you want to rename, then click Rename.

  5. Specify the new name, click OK, then click OK or Apply.

4.3.2 Defining Security Labels

NMAS provides eight security labels by default. Security labels are also used as single-level security clearances.

After you have created a security label, you cannot modify it or delete it. You can view its properties and rename it.

Creating a New Security Label Using ConsoleOne

  1. In ConsoleOne, double-click the Security Container > click Security Policy.

  2. Click Define Labels.

  3. Click New Label, then specify a name for the label.

  4. Assign integrity and secrecy categories to the new label using the horizontal arrows.

  5. Click OK.

Creating a New Security Label Using iManager

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security Container > Security Policy, then click OK.

  3. Click Define Labels.

  4. Click New, specify a name for the label, then click OK.

  5. Assign integrity and secrecy categories to the new label using the horizontal arrows.

  6. Click OK or Apply.

Renaming a Security Label Using ConsoleOne

  1. Select a label from the Defined Security Labels drop-down list.

  2. Click Rename Label.

  3. Specify a new name for the label.

  4. Click OK.

Renaming a Security Label Using iManager

  1. Select a label from the Defined Security Labels drop-down list.

  2. Click Rename.

  3. Specify a new name for the label, then click OK.

  4. Click OK or Apply.

4.3.3 Defining Clearances

When you create a clearance, you will select two labels, a Read label and a Write label. The Read label must dominate or be equal to the Write label. In fact, when creating a security clearance, you won't have the option to select a Write label that dominates the Read label.

For example, the Password & Token security label has dominance over the Password security label, so you could select the Password & Token label as your Read label and the Password label for your Write label.

You can also define your own security clearances to meet your company's authentication needs.

After you have created a clearance, you cannot modify it or delete it. You can view its properties and rename it.

Creating a New Clearance Using ConsoleOne

  1. In ConsoleOne, double-click the Security Container > Security Policy.

  2. Click the Clearances tab > Definition.

  3. Click New Clearance, then specify a name for the clearance.

  4. Select a security label from the Read label drop-down list.

    This label is the Read label for this clearance. You must select a Read label before you can select a Write label.

  5. Select a security label from the Write label drop-down list.

    This label is the Write label for this clearance. You can't select a Write label that has greater dominance than the Read label.

  6. Click OK or Apply.

Creating a New Clearance Using iManager

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security Container > Security Policy, then click OK.

  3. Click the Clearances tab.

  4. Click New, specify a name for the clearance, then click OK.

  5. Select a security label from the Read label drop-down list.

    This label is the Read label for this clearance. You must select a Read label before you can select a Write label.

  6. Select a security label from the Write label drop-down list.

    This label is the Write label for this clearance. You can't select a Write label that has greater dominance than the Read label.

  7. Click OK or Apply.

Viewing the Properties of a Clearance in ConsoleOne

  1. Select a clearance from the Clearance drop-down list.

  2. You can see the Read and Write labels that are used to define the clearance.

Viewing the Properties of a Clearance in iManager

  1. Select a clearance from the Default Clearance drop-down list.

  2. The Read and Write labels that are used to define the clearance are displayed.

Renaming a Clearance in ConsoleOne

  1. Select a clearance from the Default Clearance drop-down list.

  2. Click Rename Clearance.

  3. Specify the new name for the clearance.

  4. Click OK.

Renaming a Clearance in iManager

  1. Select a clearance from the Default Clearance drop-down list.

  2. Click Rename.

  3. Specify the new name for the clearance, then click OK.

  4. Click OK or Apply.

4.3.4 Viewing Security Clearance Access

A quick way to determine the access rights a clearance will allow to objects assigned to a particular label is to view the Access page. Click Clearance > Access. This page tells you the clearance that a user will need to have Read and Write access, Read-only access, and No access to information and resources with a specific label.

To view the access rights for a clearance using ConsoleOne:

  1. In ConsoleOne, double-click the Security Container > Security Policy.

  2. Click the Clearances tab > Access.

  3. Select a clearance from the Clearance drop-down box.

    Each defined label is grouped by the access the clearance has to the labeled object.

To view the access rights for a clearance using iManager.

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security Container > Security Policy. Then click OK.

  3. Click the Clearances tab > Access.

  4. Select a clearance from the Clearance drop-down box.

    Each defined label is grouped by the access the clearance has to the labeled object.