Manage policy attachments

Attach policies or API protection definitions to resources so the policies and definitions can be enforced.

Create policies, policy sets, or API protection definitions.

When we create policies, policy sets, or API protection definitions we cannot use them until you publish them to resources. Once policies, policy sets, or API protection definitions are published, they are enforced during the evaluation of access requests.

We can:

When a deployment is fully configured, the Resources panel displays three levels of entries. The top-level entry is the web container containing the protected object space for a server instance. The second level shows the resources in the protected object space. The third level lists the policies and API protection definitions that are attached to each resource. Tip: The user interface provides a quick filter feature for use on the top-level entry. Use the quick filter to search for a specific top-level entry. Enter the first few characters of the web container, and the list displays only the entries that contain the specified characters.

Steps

  1. Log in to the local management interface.

  2. Click AAC.

  3. Under Policy, click Access Control.

  4. Click Resources.

  5. Perform one or more of the following actions:

      Add a resource

      1. Click Add. When we add a resource for the first time, the system prompts us to enter the user name, password, and domain for the ISAM policy server. The entered information is cached and used by default when we add a resource again. To change this domain, click Change Domain and then enter the new user name, password, and domain information. This new information replaces the old cached values.

      2. Select the resource type in the Type field.

        • If we select the Reverse Proxy type:

          1. In the Proxy Instance field, click the down arrow icon to display a list of proxy instances. Select an entry.

            For example, the list of proxy instances is the WebSEAL protected object space that is defined directly under /WebSEAL.

          2. Specify a resource by entering its name or browsing for it. When you browse, we can expand the list of resources. The list hierarchy is based on the structure of the WebSEAL protected object space.

            • In some cases, not all resources are displayed because the WebSEAL protected object space is a sparse tree. For example, we might see only the resource /myserver-jct/benefits. We can select this resource and click OK to add it to the Protected Path. We can then add /myserver-jct/benefits/medical.

            • In some cases, we cannot view the object space for the web server junction. For example, if the administrator did not install the IBM Security Verify Access querycontents script on the application server, we cannot see the junction contents. In these cases, we can enter the resource path manually.

        • If we select the Application type:

          1. Select an application ID from the list or click Add New to add a new application ID.

          2. Enter the resource ID.

      3. Click Save.
      4. Attach a policy to the resource.

      Attach a policy or API protection definition to a resource

      1. Select a resource node and click Attach Attach.

      2. In the Attach Policies panel, select Policies or Policy Sets or API Protection.

      3. From the displayed list, select one or more policies or policy sets or API protection definitions.Tip: We can type the name of the applicable policy or policy set or API protection definition in the quick filter. Notes:

        • We can attach both individual policies, policy sets, or API protection definitions.

        • We cannot attach policies or policy sets to a resource where that resource already has API protection definitions attached.

        • We cannot attach API protection definitions to a resource where that resource already has policies and policy sets attached.

      4. Click OK to save your changes. The policy or API protection definition remains inactive until you publish it.

      Remove a policy or API protection definition attachment

      1. To remove a policy or API protection definition attachment from a resource, select the policy node and click Remove.
      2. When prompted, confirm the deletion. We must publish the change.

      Delete a resource

      1. To delete a resource and all attached policies or API protection definitions, select the resource node and click Remove.
      2. When prompted, confirm the deletion.

        When you delete a resource:

        • We cannot delete the server node.
        • We do not have to manually publish the change. The deletion is automatically published.

      Publish a policy or API protection definition
      Select a resource in the resource hierarchy and click Publish Publish. When the publication completes, the status column for the resource indicates the status and time of the publication. Activation of the published policy or API protection definition could take up to a minute to complete.

      Modify Resource
      We can only use this function if policy or policy sets are attached to the given resource.

      1. Select a resource node and click Edit.

      2. In the Modify Resource panel, we can modify the Policy Combining Algorithm. Choose the preferred algorithm:

        • Deny access if any attached policy returns deny

          This algorithm means that if multiple policies or API protection definitions are attached to a resource, and any one of those policies or API protection definitions returns Deny, then the access request is denied.

        • Permit access if any attached policy returns permit

          This algorithm means that if multiple policies or API protection definitions are attached to a resource, and any one of those policies or API protection definitions returns Permit, then the access request is permitted.

Parent topic: Configure API protection