Manage access control policy attachments

Attach policies or API protection definitions to resources so the policies and definitions can be enforced.

We must create policies, policy sets, or API protection definitions. We cannot use them until you publish them to resources. After publication, they are enforced during the evaluation of access requests.

We can perform the following tasks:

• Add a resource

• Add a policy or API protection definition attachment to a resource
• Remove a policy or API protection definition attachment from a resource

• Delete a resource
• Publish a policy or API protection definition attachment

When a deployment is fully configured, the Resources panel displays three levels of entries. The top-level entry is the web container for the protected object space for a server instance. The second level shows the resources in the protected object space. The third level lists the policies and API protection definitions that are attached to each resource. Tip: The user interface provides a quick filter feature for the top-level entry. Use the quick filter to search for a specific top-level entry. Enter the first few characters of the web container, and the list displays only the entries that contain the specified characters.

Steps

1. Log in to the local management interface.

2. Click AAC.

3. Under Policy, click Access Control.

4. Click Resources.

5. Perform one or more of the following actions:

   Add a resource

   If we need to add a resource from a custom domain, see Defining a custom domain for policy attachments.

   1. Click . When we add a resource for the first time, the system prompts us to enter the user name, password, and domain for the ISAM policy server. The entered information is cached and used by default when we add a resource again. To change this domain, click Change Domain and then enter the new user name, password, and domain information. This new information replaces the old cached values.

   2. Select the resource type in the Type field.

      • If we select the Reverse Proxy type:

        1. In the Proxy Instance field, click the down arrow icon to display a list of proxy instances. Select an entry.

           For example, the list of proxy instances is the WebSEAL protected object space that is defined directly under /WebSEAL.

        2. Specify a resource by entering its name or browsing for it. When you browse, we can expand the list of resources. The list hierarchy is based on the structure of the WebSEAL protected object space.

           • In some cases, not all resources are displayed because the WebSEAL protected object space is a sparse tree. For example, we might see only the resource /myserver-jct/benefits. We can select this resource and click OK to add it to the Protected Path. We can then add /myserver-jct/benefits/medical.

           • In some cases, we cannot view the object space for the web server junction. For example, if the administrator did not install the IBM Security Verify Access querycontents script on the application server, we cannot see the junction contents. In these cases, we can enter the resource path manually.

      • If we select the Application type:

        1. Select an application ID from the list or click Add New to add an application ID.

        2. Enter the resource ID.

   3. Select an option to set the decision cache timeout period for any authorization decisions of any policy attached to this resource. The decision cache setting takes effect only after the policy is attached to the resource.

   4. Click Save.
   5. Attach a policy to the resource.

   Attach a policy or API protection definition to a resource

   1. Select a resource node and click Attach.

   2. In the Attach Policies panel, select Policies or Policy Sets or API Protection.

   3. From the list, select one or more items.Tip: We can type the name in the quick filter. Notes:

      • We can attach both individual policies, policy sets, or API protection definitions.

      • We cannot attach policies or policy sets to a resource where that resource already has API protection definitions attached.

      • We cannot attach API protection definitions to a resource where that resource already has policies and policy sets attached.

   4. Click OK to save your changes. The policy or API protection definition remains inactive until you publish it.

   Remove a policy or API protection definition attachment

   1. To remove a policy or API protection definition attachment from a resource, select the policy node and click .
   2. When prompted, confirm the deletion. We must publish the change.

   Delete a resource

   When you delete a resource:

   • Be aware of the status of the reverse proxy server the resource is attached to before deleting it:

     • If the reverse proxy server is defined but not available for use, restart the server first. Then, follow the instructions below to delete the resource from the local management interface.

     • If the reverse proxy server has been deleted, force the delete of the resource to remove it from the local management interface.

   • We cannot delete the server node.

   1. To delete a resource and all attached policies or API protection definitions, select the resource node and click .
   2. When prompted, confirm the deletion.

   We do not have to manually publish the change. The deletion is automatically published.

   Publish policies or API protection definitions

   Publish a specific policy or API protection definition, or publish all of them at once:

   • Publish: Select a resource in the resource hierarchy and click Publish. When the publication completes, the status column for the resource indicates the status and time of the publication.
   • Publish All: Click Publish All and then respond to the confirmation. This action publishes only those policies or API protection definitions that have a status of Publish required.

     When the publication completes, the status column for the resources indicates the status and time of the publication.

   Activation of a single published policy or API protection definition might take up to a minute to complete.

   Modify Resource

   We can use this function only if policy or policy sets are attached to the resource.

   1. Select a resource node and click .

   2. In the Modify Resource panel, we can modify the Policy Combining Algorithm. Choose the preferred algorithm:
      • Deny access if any attached policy returns deny

        If both of the following statements are true, then the access request is denied.

        • Multiple policies or API protection definitions are attached to a resource.
        • Any one of the policies or API protection definitions returns Deny.

      • Permit access if any attached policy returns permit

        If any one of the following statements is true, then the access request is permitted.

        • Multiple policies or API protection definitions are attached to a resource.
        • Any one of the policies or API protection definitions returns Permit.

   3. Modify the setting for the decision cache timeout period for any authorization decisions of any policy attached to this resource. The decision cache setting takes effect only after the policy is attached to the resource.

Parent topic: Access control policies