Create an access control policy

Use the Policy Editor on the appliance local management interface to create and configure an access control policy.

Each policy is a combination of attributes, obligations or authentications, and a risk profile.

Before we create an access control policy:

1. Ensure the attributes and obligations to use in the policy are defined and available in the local management interface:
   • Manage attributes
   • Manage obligations
   • Manage authentication policies

2. Ensure the risk profile to use is set as active. See Manage risk profiles.

The Policy Editor page has several sections:

Name and description

Specify a unique name for the policy and optionally include a description of the policy.

Subjects

Optionally specify one or more subjects to which the policy applies. Subjects can be anything in the Subject part of an access request. For example, use this field to specify the policy applies to subjects who are members of the SystemAdministrators group. Click Add Subject to add subjects to the policy. Click to remove a subject from the policy. By specifying subjects, we can ensure the policy rules are evaluated only if they match at least one of the specified subjects.

Rules

The Rules section has several settings:

Precedence

Specify an access action to take on the policy.

Deny

If any rule in the policy returns deny, the policy returns deny.

Permit

If any rule in the policy returns permit, the policy returns permit.

First

Access is permitted or denied based on the outcome of first rule in the policy that can be evaluated against the access request. The rules in the policy are evaluated in the same order they are listed and all rules will be processed regardless of which rule returns an applicable decision. The policy returns Not Applicable if none of the rules evaluates to true. To ensure that either a Permit or Deny decision is returned, include in the policy a Permit or Deny rule that does not contain a condition.

Attributes

When a policy is evaluated, the runtime will attempt to retrieve the values for all attributes specified in the policy. Attributes that are not found in the incoming request are considered missing. The Attributes setting controls how missing attributes are handled.

Optional

If Attributes is set to Optional, then all attributes specified in the Rule section of the policy are considered optional. With this setting, missing attributes are treated as empty sets and evaluated against the expression. In most cases, a missing attribute will cause the rule expression to return false.

Required

If Attributes is set to Required, then all attributes specified in the Rule section of the policy are considered required. With this setting, missing attributes are considered an error and will return a decision of Indeterminate when the rule is evaluated. Indeterminate results often cause the access request to be denied.

Add Rule

Click the Add Rule drop-down arrow and select either:

• Conditional rule: This type of rule contains one or more conditions and an action. Rules are boolean expressions applied to a set of context attributes that are passed in the context object of the decision request. Each rule has an If statement and a Then statement. The If statement specifies the conditions that are checked when an access request is received. The Then statement specifies the action to take when the rule conditions are true.
• Unconditional rule: This type of rule contains only an action and no conditions.

The rule actions are:

Permit

The request must be permitted to pass.

Permit with Obligation

A specific action must take place before the request is permitted to pass. Action in the adjacent field.

Permit with Authentication

A specific authentication action must take place before the request is permitted to pass. Authentication policy in the adjacent field. For information about authentication policies, see Authentication policies.

Deny

The request must be denied and not permitted to pass.

Deny with Obligation

The request is denied and an obligation is processed.

Steps

1. Log in to the local management interface.

2. Click AAC.

3. Under Policy, click Access Control.

4. In the center panel, click .

5. In the Name field, type a unique name for the policy. The name must begin with an alphabetic character. Do not use control characters, leading and trailing blanks, and the following special characters ~ ! @ # $ % ^ & * ( )  + | ` = \ ; :  " ' < > ? , [  ] { } / anywhere in the name.

6. Optional: In the Description field, type a description for the policy.

7. Optional: Specify subjects to which the policy applies.

   1. Click Add Subject.

   2. In the first box, select a subject attribute. Begin typing the name of the subject to filter the list.

   3. In the second box, select an operator.

   4. In the third box, type a value.

   For example, to have the rule to be evaluated only if the access requestor belongs to the SecurityAdministrator group, specify the following selections:

   Parameter

   groups

   Operator

   =

   Value

   SecurityAdministrator

   If your LDAP root DN is secauthority=default, we can only use the = (equal) operator in policies that use X.500 names userDN and groupsDN. To specify more subjects, click Add Subject.

8. In the Rule section, add one or more rules.
   1. For Precedence, select the access action to take for the policy:
   2. For Attributes, select the attribute usage of the policy.

   3. To add a rule to the policy, click the Add Rule drop-down arrow and choose one of the following:
      • Conditional rule: This type of rule contains one or more conditions and an action.
      • Unconditional rule: This type of rule contains no conditions.

   4. If we create an unconditional rule, continue with step 8.h.

   5. If we are creating a Conditional rule, select Whether the rules apply if All conditions are true or if Any of the conditions are true.

   6. Create a rule by typing or selecting a parameter, operator, and value. To specify a value in the value field, click the drop-down menu on the right and select either Enter Value or Select Attribute.

   7. Take one of the following actions:

      • Click ! to add a NOT operator to the expression. If the expression already has a NOT operator, clicking ! removes the operator.

      • Click + to add another expression. The new expression is added below the preceding expression.

      • Click - to remove an expression.

      • Click () to create a parenthetical expression. Select the appropriate attributes, operators, and values for the expression. Or, add more expressions to the group. The new expression is added below the preceding expression.

   8. Action to take when the rule evaluation is completed.

   9. Click OK when the rule is complete.

   10. To add another rule to the policy, repeat step 8.c.

   11. If the policy has more than one rule, we can change the sequence of the rules by selecting a rule and clicking or . The sequence of the rules is important if we have selected First as the action for the policy.

9. Click Save when the policy is complete.

What to do next

Attach the policy to a resource. See Manage access control policy attachments.

Parent topic: Access control policies

Related reference

• Predefined attributes