An Authorization policy specifies conditions that a user must meet in order to access a resource. The Access Gateway enforces these conditions. The policy specifies the criteria a user must meet to either allow access or deny access.
To create an Access Gateway Authorization policy:
In the Administration Console, click
> > .Specify a name for the policy, then select
for the type of policy.Fill in the following fields:
Description: (Optional) Describe the purpose of this rule.
Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and 10 is the lowest. If two rules have the same priority, a Deny rule is applied before a Permit rule.
In the
section, click , then select one of the following:Authentication Contract: Allows you to control access based on the contract the user used for login. For configuration information, see Section 28.5.1, Authentication Contract Condition.
Client IP: Allows you to control access based on the IP address of the client making the request. For configuration information, see Section 28.5.2, Client IP Condition.
Credential Profile: Allows you to control access based on the credentials the user specified during authentication. For configuration information, see Section 28.5.3, Credential Profile Condition.
Current Date: Allows you to control access based on the date of the request. For more information, see Section 28.5.4, Current Date Condition.
Current Day of Week: Allows you to control access based on the day the request is made. For configuration information, see Current Day of Week Condition.
Current Day of Month: Allows you to control access based on the month the request is made. For configuration information, see Section 28.5.6, Current Day of Month Condition.
Current Time of Day: Allows you to control access based on the time the request was made. For configuration information, see Section 28.5.7, Current Time of Day Condition.
HTTP Request Method: Allows you to control access based on the request method. For configuration information, see Section 28.5.8, HTTP Request Method Condition.
LDAP Attribute: Allows you to control access based on the value of an LDAP attribute. For configuration information, see Section 28.5.9, LDAP Attribute Condition.
LDAP OU: Allows you to control access based on the value of an LDAP organizational unit. For configuration information, see Section 28.5.10, LDAP OU Condition.
Liberty User Profile: Allows you to control access based on the value of a profile attribute. For configuration information, see Section 28.5.11, Liberty User Profile Condition.
Roles for Current User: Allows you to control access based on the roles a user has been assigned. For configuration information, see Section 28.5.12, Roles for Current User Condition.
URL: Allows you to control access based on the URL in the request. For configuration information, see Section 28.5.13, URL Condition.
URL Scheme: Allows you to control access based on the scheme in the URL of the request (for example, http or https). For configuration information, see Section 28.5.14, URL Scheme Condition.
URL Host: Allows you to control access based on the hostname in the URL of the request. For configuration information, see Section 28.5.15, URL Host Condition.
URL Path: Allows you to control access based on the path in the URL of the request. For configuration information, see Section 28.5.16, URL Path Condition.
URL File Name: Allows you to control access based on the filename in the URL of the request. For configuration information, see Section 28.5.17, URL File Name Condition.
URL File Extension: Allows you to control access based on the file extension in the URL of the request. For configuration information, see Section 28.5.18, URL File Extension Condition.
X-Forwarded-For IP: Allows you to control access based on the value in the X-Forwarded-For IP header of the HTTP request. For configuration information, see Section 28.5.19, X-Forward-For IP Condition.
To add multiple conditions to the same rule, either add a condition to the same condition group or create a new condition group. For information on how conditions and condition groups interact with each other, see Section 28.7, Using Multiple Conditions.
In the
section, select either , , or .If you select
, specify the URL to which you want users redirected when they meet the conditions of this policy.If you select
, select one of the following:Display Default Deny Page: Displays a generic message, indicating that users have insufficient rights to access the resource.
Deny Message: Allows you to provide a customized message that is displayed to users who are denied access. This message can be plain text or text with HTML tags.
Redirect to URL: Allows you to specify a URL to which users are redirected when they are denied access. For example:
http://www.novell.com
To save the rule, click
.To add another rule, click
or to save the policy, click , then click .For information on how to assign the policy to a protected resource, see Section 13.4.3, Assigning an Authorization Policy to a Protected Resource.