Creating an access control policy
Use the Policy Editor on the appliance local management interface to create and configure an access control policy.
Before you begin
Before you create an access control policy:
- Ensure that the attributes and obligations you want to use in the policy are defined and available in the local management interface:
- Ensure that the risk profile you want to use is set as active. See Managing risk profiles.
About this task
- Name and description
- Specify a unique name for the policy and optionally include a description of the policy.
- Subjects
- Optionally specify one or more subjects to which the policy applies.
Subjects can be anything in the Subject part of an access request.
For example, use this field to specify that the policy applies to
subjects who are members of the SystemAdministrators group.
Click
Add Subject to add subjects to the policy. Click
to remove a subject from the policy. By specifying subjects, you can ensure that the policy rules are evaluated only if they match at least one of the specified subjects.
- Rules
- The Rules section has several settings:
- Precedence
- Specify an access action to take on the policy.
- Deny
- If any rule in the policy returns deny, the policy returns deny.
- Permit
- If any rule in the policy returns permit, the policy returns permit.
- First
- Access is permitted or denied based on the outcome of first rule in the policy that can be evaluated against the access request. The rules in the policy are evaluated in the same order they are listed. The policy returns Not Applicable if none of the rules evaluates to true. To ensure that either a Permit or Deny decision is returned, include in the policy a Permit or Deny rule that does not contain a condition.
- Attributes
- When a policy is evaluated, the runtime will attempt to retrieve
the values for all attributes that are specified in the policy. Attributes
that are not found in the incoming request are considered missing.
The Attributes setting controls how missing
attributes are handled.
- Optional
- If Attributes is set to Optional, then all attributes specified in the Rule section of the policy are considered optional. With this setting, missing attributes are treated as empty sets and evaluated against the expression. In most cases, a missing attribute will cause the rule expression to return false.
- Required
- If Attributes is set to Required, then all attributes specified in the Rule section of the policy are considered required. With this setting, missing attributes are considered an error and will return a decision of Indeterminate when the rule is evaluated. Indeterminate results often cause the access request to be denied.
- Add Rule
- Click the Add Rule drop-down arrow and
select either:
- Conditional rule: This type of rule contains one or more conditions and an action. Rules are boolean expressions that are applied to a set of context attributes that are passed in the context object of the decision request. Each rule has an If statement and a Then statement. The If statement specifies the conditions that are checked when an access request is received. The Then statement specifies the action to take when the rule conditions are true.
- Unconditional rule: This type of rule contains only an action and no conditions.
The rule actions are:- Permit
- The request must be permitted to pass.
- Permit with Obligation
- A specific action must take place before the request is permitted to pass. Specify the action in the adjacent field.
- Permit with Authentication
- A specific authentication action must take place before the request is permitted to pass. Specify the authentication policy in the adjacent field. For more information about authentication policies, see Authentication policies.
- Deny
- The request must be denied and not permitted to pass.
- Deny with Obligation
- The request is denied and an obligation is processed.