Table Of Contents
Preface
Objective
What's New
Audience
Document Organization
Document Conventions
Related Documentation
Changes to This Document
Obtaining Documentation and Submitting a Service Request
Preface
This preface explains the objectives, intended audience, and organization of the Cisco Enterprise Policy Manager User Guide and describes the conventions that convey instructions and other information.
The preface contains the following sections:
•Objective
•Audience
•Document Organization
•Document Conventions
•Related Documentation
•Changes to This Document
•Obtaining Documentation and Submitting a Service Request
Objective
Enterprises are facing enormous pressure to simultaneously protect sensitive data and meet compliance requirements, increase business process efficiencies, and bring new revenue-generating services to market within very limited time and cost constraints. Policy-based access control is a critical component of security and compliance efforts, and it can reduce the costs and complexity of securely managing and auditing access privileges.
In most dynamic business organizations, critical information and resources, such as financial data, confidential records, and web services reside on distributed servers, each having its own unique set of users, access policies, and administrative parameters. Additionally, business resources are being exposed to a wider range of users whose roles and entitlements are dynamic and frequently changing.
Multiplied across a large enterprise, this creates an environment that is highly complex to systematically and securely administer. The solution to this problem is entitlement management: the application of policy-based, fine-grained access control.
The Cisco Enterprise Policy Manager (CEPM) is a scalable, standards-based product for managing entitlements. The PDP leverages and extends the already deployed application and security infrastructure, including existing identity management solutions or repositories.
A structured approach to the architecture of CEPM exposes the rationale for entitlement management by creating policies randomly clustered with policy attributes and encapsulated rules on the resources of your application.
This document describes in detail the various functionalities provided by the administration console to configure the entitlement mechanism for your applications.
What's New
•Resource Group—Resources, of a particular type, can be grouped together to facilitate the ease of managing entitlements to a group of resources. A resource group holds the same resource type as the resources that the group is composed of. A resource group can be created in two ways— 1. Adhoc and 2.Rule based. Refer to Resource Group, page 78 for more information.
•Policy Cache— CEPM introduces Policy Cache - a framework that allows the policy data to be cached so that policy evaluation can be done quickly in memory rather than relegating all calls to the database. The policy cache infrastructure (PDP application memory) provides better response times to the access requests and leverages application performance. Refer to CEPM Policy Cache Guide for more information on the deployment scenarios and configuration details.
Audience
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
Document Organization
This guide contains the following chapters and appendixes:
•Chapter 1, "Cisco Enterprise Policy Manager"
•Chapter 2, "Overview of the PAP Console"
•Chapter 3, "Login Page and Home Page"
•Chapter 4, "Manage Entities"
•Chapter 5, "Manage Entitlements"
•Chapter 6, "Auditing and Reporting"
•Chapter 7, "System Config"
•Chapter 8, "Delegated Administration"
•Appendix B, "PAP User Login Authentication Using LDAP and SSO"
•Appendix A, "Policy Combining Algorithm and Obligation"
•Appendix C, "Open Source License Acknowledgements"
Document Conventions
Caution Means
reader be careful. You are capable of doing something that might result in equipment damage or loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.
Related Documentation
Following documents are available with this release:
Table 1 List of Documents available with CEPM V3.3.1.0
Documentation Title
|
Description and Location of the Document in Cisco.com
|
CEPM User Guide V3.3.1.0
|
Provides detailed information about various features and functionalities available in CEPM.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/User_Guide/CEPM_User_Guide_V3310.html
|
CEPM Install and Config Guide V3.3.1.0
|
Provides step-by-step instructions on how to install CEPM Components, such as Policy Administration Point (PAP) and Policy Decision Point (PDP), in various supported combinations of operating system, database, and application server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Installation_Guide/Install_and_Config_Guide/CEPM_Install_and_Config_Guide_V3310.html
|
CEPM Quick Start Guide V3.3.1.0
|
Provides a quick, step-by-step procedure for starting up and using CEPM. This guide also walks you through the setup of a basic application and its resources, the securing of its resources with policies, and the testing of those policies.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Quick_Start_Guide/CEPM_Quick_Start_Guide_V3310.html
|
CEPM Concept Guide V3.3.1.0
|
Provides general information on CEPM architecture and entitlement management.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Concept_Guide/CEPM_Concept_Guide_V331.html
|
CEPM Resource Models V3.3.1.0
|
Describes concepts related to basic policy-based application entitlement which ensures that a subject accessing a resource (or invoking an action on a resource) is allowed or denied, based on attributes-based rules.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Resource_Models/CEPM_Resource_Models_V3310.html
|
CEPM Deployment and Capacity Planning Guide V3.3.1.0
|
Discusses the different deployment options that are possible using CEPM. It also recommends the database size depending on the parameters of the application that is being protected by CEPM.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Capacity_Planning_Guide/CEPM_Capacity_Planning_Guide.html
|
CEPM Policy Cache Guide V3.3.1.0
|
Provides various deployment scenarios and guidelines to configure the Policy Cache in CEPM.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Guide/Policy_Cache_Guide/EPMPolicyCacheGuide.html
|
CEPM Java Developers Guide V3.3.1.0
|
Provides guidelines for using the Policy Enforcement Point (PEP) and PAP APIs, and provides instructions for configuring the PEP agent and Java Server Page (JSP) tag libraries.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Developer_Guide/Java_Developer_Guide/CEPM_Java_Developers_Guide_V3310.html
|
CEPM Dotnet Developers Guide V3.3.1.0
|
Provides guidelines for using the PEP and PAP APIs, and provides instructions for configuring the PEP agent for dotnet applications.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Developer_Guide/Dotnet_Developer_Guide/CEPM_Dotnet_Developers_Guide_v331.html
|
CEPM PAP Configuration Guide V3.3.1.0
|
Provides guidelines to configure the PAP configuration parameters available in pap_config.xml file.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/PAP_Config_Guide/CEPM_PAP_Configuration_Guide.html
|
CEPM PDP Configuration Guide V3.3.1.0
|
Provides guidelines to configure the PDP configuration parameters available in pdp_config.xml file.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/PDP_Config_Guide/EPMPDPConfigs_chap.html
|
CEPM PEP Configuration Guide V3.3.1.0
|
Provides guidelines to configure the PEP configuration parameters available in pep_config.xml file.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Configuration_Guide/PEP_Config_Guide/EPMPEPConfigs_chap.html
|
CEPM Dotnet Agent Guide V3.3.1.0
|
Provides step-by-step instructions for how to deploy the CEPM Dotnet Agent used by any .NET based application (either a desktop or a web-based application). It also describes the COM-wrapped agent, which is supported for VB, C++, and other Windows-based applications.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Agent/Dotnet_Agent/CEPM_Dotnet_Agent_Guide_V331.html
|
CEPM JAX-WS Agent Guide V3.3.1.0
|
Provides an overview about the CEPM JAX-WS Agent and explains the steps for configuring this agent in the applications running in Tomcat server and WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm331/Agent/JAX-WS_Agent/CEPM_JAX-WS_Agent_Guide.html
|
Changes to This Document
Table 1 lists the changes made to this document since it was first released.
Table 2 Changes to This Document
Date
|
Change Summary
|
June 10, 2010
|
Cisco Enterprise Policy Manager (EPM) Release 3.3.1.0
Following changes are made to this document in this release:
•Resource Group Feature is added. Refer to Resource Group, page 78 for more information.
•Updates are made with respect to the internal documentation bug fixes.
|
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.