CEPM User Guide
Manage Entities

Table Of Contents

Manage Entities

User Management

Listing or Searching for Users

Creating or Updating a User

Assigning Groups to User

Assigning Roles to a User

Assigning Resources to a User

Assigning Multiple Users to a Role

Assigning Multiple Users to a Group

Deleting a User

Clone User

Copy Entitlements

Viewing Entitlements

Defining Entitlements

Viewing Role and Group Memberships of a User

Importing Users

Importing Users from an XML File

Import Users from an LDAP

Exporting Users

Exporting Users to an MS Excel File

Export Users to an XML File

User Types

For Updating a User Type

Group Management

Listing or Searching for Groups

Creating or Updating Groups

Assigning Users to a Group

Assigning Roles to a Group

Assign Resources to a Group

Assigning Multiple Users to a Group

Assigning Multiple Groups to a Role

Deleting a Group

Importing Groups

Creating, Updating, or Deleting Group Types

Role Management

Listing or Searching for Roles

Creating or Updating a Role

Reference Role/Group

Dynamic Role/Group

Assigning Users to a Role

Assigning Groups to a Role

Assigning Resources to a Role

Assigning Multiple Users to a Role

Assigning Multiple Groups to a Role

Deleting a Role

Importing Roles

Exporting Roles

Role Types

Configuring SoD Roles

Configuring DSoD Roles

Role Bundles

Resource Management

Listing or Searching for Resources

Creating or Updating a Resource

Creating Resources from External Sources

Creating Resources from WSDL Source

Creating Resources from Database Source

Creating Resources with Expression

Assigning Users to a Resource

Assigning Groups to a Resource

Assigning Roles to a Resource

Deleting a Resource

Copying a Resource

Importing Resources

Exporting Resources

Creating, Updating, or Deleting a Resource Type

Application Attributes

Prehook Handlers

Import/Export

Import Entities:

Export Entities:


Manage Entities


This chapter explains the various operations that you can perform on the Manage Entities tab in the PAP administration console.

User management—Create, update, delete, import, export, and clone users. Copy entitlements, define entitlements, and view entitlements for users. Assign roles, groups, and resources to users. Create user types. Add users to roles and add users to groups.

Group management—Create, update, delete, and import groups. Assign users, roles, and resources to groups. Create group types. Add users to groups and add groups to roles.

Role management—Create, update, delete, import, and export roles. Configure SoD roles and DSoD roles. Assign users, groups, and resources to roles. Create role types. Add users to roles and add groups to roles. Configure role bundles.

Resource management—Create, update, delete, import, export, and copy resources. Create resources from expression and create resources from external sources. Create resource types. Assign users, groups, and roles to resources (which creates policies for users, groups, and roles). Edit policy, configure Policy Combining Algorithm and obligations, add attributes to return, add policy attributes, and configure rules for policies.

Application attributes—Add attributes to the existing application attribute sources (PIPs).

Import/Export—Import / Export any or multiple entities on a particular application, application group, or Global in the PAP.


Note The following notes which brief you about the expected behavior of the below-mentioned functionalities across the PAP console.

View Entities under various resource levels:

In CEPM, entities are displayed in the following pattern under different level of resources:

If Global is selected, entities created under the Global level displayed.

If Application Group is selected, entities created under the Global level and that application group (but not the applications) are displayed. This is applicable only when entities are listed in a table and not applicable when the entities are displayed in a tree structure.

If Application is selected, entities created under the Global level, Application Group to which the selected application belongs, and that Application would be displayed.

For example, in Home > Manage Entities > Users page, if you select Global in `Select Application' dropdown, you can see the users created under the Global level only. Similarly, if you select any application group, the users created under that application group as well as Global users are displayed. But if you select an application, it displays Global users, users created under the application group to which this application belongs, and the users created under that application.

Pagination:

Pagination is supported widely across CEPM PAP UI while sorting out entities in a list or in a table. The list or tables are scaled out to accommodate limited number of entities giving way to the pagination feature.

If entities are displayed in a table from the list user/group/role page, search user/group/role page, etc., paginating lists are automatically generated when the number of entities exceed 50. For example, in Home > Manage Entities > Users page, while searching for a user with the specific search key, if the number of users exceed 50, only the first 50 users are displayed in the List Users page. You can checkout for remaining users by using the pagination features such as First, Prev, Next, and Last buttons.

If the Assign entities are displayed in a table, such as Assign Users, Assign Groups, etc.), the tables will contain the first 500 entities. If the number of entities exceed 500, you must make use of the Search functionality to find out a user who is not within the first 500 users. For example, in Home > Manage Entities > Roles > Assign Users to a Role page, if the number of users exceeds 500, only the first 500 users are displayed in the Users table. To get the 501st user, make use of the Search functionality provided in this page.

If the entities are displayed in a tree structure (as in case of resource hierarchy), pagination is automatically done if the number of entities exceed 100.


User Management

A user is an employee or external customer or partner of the enterprise who makes a request to access a resource in the software application that needs to be protected. You can assign users to groups as well as roles. Users can be associated with certain characteristics or attributes that contain information about the users.

User management functionality allows you to carry out the following functions related to the management of application users:

List or search for users

Create or edit a user

Delete user

Clone user

Copy entitlements

View entitlements

Define entitlements

View roles and groups to which the user belongs

Import users

Export users

Create user types

Listing or Searching for Users

This page holds the complete list of users present under the selected resource level. To view a list of users or search for a user in a particular application, application group, or Global, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 From the Select Application drop-down list, select the appropriate application, application group, or Global. This page holds the complete list of users depending upon the selected resource level in the following pattern:

Global—If Global is selected, only the Global users (created under the global level) are displayed.

Application Group—If an application group is selected, the list displays all the global users and the users created under the selected application group.

Application—If an application is selected, the list displays all the global users, the users created under the application group to which the selected application belongs, and also the users created under that application.

Figure 4-1 User Home page

Step 3 Search for a particular user in the Search section.

Figure 4-2 Search Section

This section allows you to search for specific users depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria to search for users:

Search for User by Name

Search for User by First Name

Search for User by Last Name

Search for User by E-mail Id

Default

<Other available User Types>

Select any user type as the Search key to get all users created using that user type. For example, if you select Default, the result includes users of `Global:Default' user type only. You can further refine the result through search by using the keywords as shown below:

Enter the value to be searched in the Search text box. You can also use the asterisk wild card character (*) as part of the search value.

For example, to get the list of all the users having 'M' as the first character in their first name, select the search criteria of Search for User by First Name and enter a search value of M*, and click Search. The list of users matching the search criteria and search value is displayed in the List Users section. The following is a sample search result.

Figure 4-3 Search Result

If the search result contains more than 50 users, the list of users span more than one page. In that case, the list shows multiple page numbers in a sequence starting from 1 onwards (1 2 3 ...). You can navigate to a particular page by clicking the page number.

Step 4 Click Clear to clear the value entered in the search value field.

You can click the following icons in the List Users page to perform the operations described here:

Click this button to create a new user in PAP. For more information, refer to Creating or Updating a User.

Click this button to import users into PAP either from an XML file or from an LDAP. For more information, refer to Importing Users.

Click this icon to export information about the users that are in PAP to an MS Excel file or to an XML file. For more information, refer to Exporting Users.

Click this icon to view the role/group memberships of that user. Before you click this icon,check the check box beside the user name whose role and group memberships you want to view. For more information, refer to Viewing Role and Group Memberships of a User.

[User name]

Click the user name to edit the information of that user. For more information, refer to Creating or Updating a User.

Click this icon to delete one or more users from PAP. Before you click this icon, select the check box beside the user names that you want to delete. For more information, refer to Deleting a User.

Click this icon to create a clone of an existing user. Before you click this icon, select the check box beside the user name whose clone you want to create. The cloned user inherits the role membership, group membership, and entitlements of the parent user. For more information, refer to Clone User.

Click this icon to copy entitlements of one resource to another. Before you click this icon, select the check box beside the user name whose entitlements you want to copy. For more information, refer to Copy Entitlements.

Click this icon to view the entitlements of a particular user. Before you click this icon, select the check box beside the user name whose entitlements you want to view. For more information, refer to Viewing Entitlements.

Click this icon to define entitlements for a particular user. Before you click this icon, select the check box beside the user name for whom you want to define the entitlements. For more information, refer to Defining Entitlements.



Creating or Updating a User

To create or update a user in a particular application, application group, or Global, follow these steps:

Figure 4-4 Create or Update User

Step 5 Enter the following information in this page for creating or updating user:

User Name—Unique name for the user.


Note The user names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), forward slash(/), asterisk(*), hypen(-), underscore(_), and at sign(@).


First Name—First name of the user.

Last Name—Last name of the user.

E-mail ID—E-mail ID of the user.

User Status—Set it to Active. If set to Inactive, this user is not allowed to access any of the resources.

User Type—Select an appropriate user type for this user. By default, the value selected for the User Type is Global:Default. You can create a new user type by clicking Create New User Type. Click View Attributes to view the attributes associated with the user type.

Step 6 Click Save to save the above information in PAP.

Step 7 To assign this user to any role, group, or resource on this page, click Next or click the appropriate tab i.e. Assign Roles, Assign Groups, or Assign Resources, to assign this user to the appropriate roles, groups, or resources.

Step 8 Click Done after you have created or updated the user information and assigned it to appropriate roles, groups, or resources.


Note Assigning the new user to roles, groups, and resources is not mandatory on this page. This operation can also be carried out later using either of the methods described below, after the user is successfully created in the PAP:

In the User Management page (Manage Entities > Users), select the user name, for which you want to assign roles, groups, or resources. The Create/Update User page is displayed. On this page, you can click the appropriate tab, Assign Roles, Assign Groups, or Assign Resources, to assign the selected user to the appropriate roles, groups, or resources. You can also click Next to navigate through these tabs one by one.

You can click the links, Add Users to Roles and Add Users to Groups in the Manage Entities > Advanced > Entity Assignments section to add the user to appropriate roles and groups respectively.

Assigning Groups to User

After creating a user, you can assign groups to it.

To assign groups to a user, follow these steps:


Step 1 Go to the Create or Update Users page.

Step 2 Click the Assign Groups tab.

The Assign Groups page is displayed.

Figure 4-5 Assign Groups to Users

Step 3 If a large number of groups are under the selected application, you can search for a particular group using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a group, enter the full name (not the fully qualified name) or first few characters of the group name, select the Search group from the drop-down list, and click Search. All the Groups that match the search criteria are displayed.

Step 4 Assign a context for the user-group association that you are going to create by clicking the Context icon that is next to the context label. A list of contexts is displayed.

Step 5 Select the appropriate context from the list to apply the context to the user-group association.

The Assign Group page contains two list boxes. The Groups list box contains the groups that are not assigned to the user. The Assigned Groups list box contains the groups that are assigned to the user.

Step 6 To assign a group to the user, select that group in the Groups list box and click the Assign icon. The selected group is moved from the Groups list to the Assigned Groups list.

Step 7 To unassign any assigned groups in the Assigned Groups list box, click the group name and click the Unassign icon. The selected group is unassigned and it is moved from the Assigned Groups list to the Groups list.

Step 8 To set the user attribute and group attribute values to this user-group association, select the assigned group and click the Set Scoped Attribute Values icon next to the Actions label.

Step 9 Click Save to complete the user-group association.


Assigning Roles to a User

After creating a user, you can assign roles to the user.

To assign roles to a user, follow these steps:


Step 1 Go to Create or Update Users page.

Step 2 Click the Assign Roles tab.

The Assign Roles page is displayed.

Figure 4-6 Assign Roles to Users

Step 3 If a large number of roles are under the selected application, you can search for a particular role or roles using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a role, select the Search Role from the drop-down list, enter the full name (not the fully qualified name) or first few characters of the role name, and click Search. All the roles that match the search criteria are displayed.

Step 4 Select the appropriate role bundle from the Role Bundle list.

Step 5 Assign a context for the user-role association that you are going to create by clicking the Context icon that is near the context label. A list of contexts is displayed.

Step 6 Select the appropriate context from the list to apply the context to the user-role association.

The Assign Role page contains two list boxes. The Roles list box contains the roles that are not assigned to the user. The Assigned Roles list box contains the roles that are assigned to the user.

Step 7 To assign a role to the user, select that role in the Roles list box and click the Assign icon. The selected role is moved from the Roles list to the Assigned Roles list.

Step 8 To unassign the assigned roles in the Assigned Roles list box, click the role name and click the Unassign icon. The selected role is unassigned and it is moved from the Assigned Roles list to the Roles list.

Step 9 To set the user attribute and role attribute values to this user-role association, select the assigned role and click the Set Scoped Attribute Values icon near the actions label.

Step 10 Click Save to complete the user-role association.


Assigning Resources to a User

After creating a user, you can assign resources to the user.

To assign resources to a user, follow these steps:


Step 1 Go to Create or Update Users page.

Step 2 Click the Assign Resources tab.

The Assign Resources page is displayed.

Figure 4-7 Assign Resources to Users

Step 3 If a large number of resources are under the selected application, you can search for a particular resource or resources using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a resource, select the Search Resource from the drop-down list, enter the full name (not the fully qualified name), or first few characters of the resource name, and click Search. All the resources that match the search criteria are displayed.

Step 4 Assign a context for the user-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed.

Step 5 Select the appropriate context from the list to apply the context to the user-resource association.

The Assign Resources page contains three list boxes. The Resources list box contains the resources that are not assigned to the user. The Allowed Resources and Denied Resources list boxes contain the resources that are assigned to the user, with either the Allow or Deny permission.

Step 6 To assign a resource to the user with Allow permission, select that resource in the Resources list box and click the Assign Allowed Resources icon. The selected resource is moved from the Resources list to the Allowed Resources list.

Step 7 To assign a resource to the user with Deny permission, select that resource in the Resources list box and click the Assign Denied Resources icon. The selected resource is moved from the Resources list to the Denied Resources list.

Step 8 To unassign the assigned resources in the Allowed Resources or Denied Resources list box, click the resource name and click the Unassign icon. The selected resource is unassigned and it is moved from the Allowed Resources or Denied Resources list to the Resources list.

Step 9 For the user-resource association, you can also assign rules, configure Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.

To do this, select the assigned resource and click the appropriate icon near the actions label as explained here:

Add rule—Click the Add rule icon. The pop-up page for adding the rules is displayed. For more information, refer to Add Rules to a Policy, page 5-11.

Configure Policy Combining Algorithm—Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm, page 5-4.

Add attributes to return—Click the Add attributes icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation, page 5-5.

Add policy attributes—Click the Add Policy attribute icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes, page 5-8.

Edit policy—Click theEdit Policy icon . The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations, page 5-6.

Step 10 Click Save to complete the user-resource association.


Assigning Multiple Users to a Role

You can assign multiple users to a role in the PAP.

To assign multiple users to a role, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Assignments > Add Users to Roles.

The Assign Users to Roles page is displayed.

Step 2 Select the application, application group, or Global under which the users are to be assigned to the existing roles.

Step 3 Select the appropriate role bundle from the Role Bundle drop-down list.

Step 4 Select the appropriate context by clicking the Context icon in the upper-right side of the page.

All the users and roles pertaining to the selected application, application group, or Global are displayed in the Users section and Roles section respectively.

Figure 4-8 Assigning mutiple Users to a Role

Step 5 To search for a particular user or particular role, enter the appropriate search criteria and search value in the Search section for users and roles.

Step 6 In the Users list, select the check boxes for the users for whom the roles need to be assigned.

Step 7 In the Roles list, click the Map Users icon beside the role name to which you want to assign the selected users.

This completes the mapping of the selected users to the selected roles.

To export the information aboutthe roles mapped to users to an MS Excel/XML file, click Export.

To import the information, click Import .

To view the users that are assigned to a role, click the List Users icon next to the role name. For example, in the List Users for Role, if you want to view the users mapped to Dynamic role, click the View Users button of that role.

Figure 4-9 List Users for Role

You can set the attributes for every user-role mapping by clicking the Attribute button for the user mapping from the pop-up window. The PDP returns the scoped attributes while giving decision for the specified user.

Scoped Attributes—The PDP considers the type attributes and NOT the scoped attribute while doing the rule evaluation.

For example a user Joe is of user type UT1 with attribute as ID with value `123' and Role Role1 is of role type RoleType1 with attribute as Val with value `8'. User Joe is mapped to Role1. When you click on the List Mapped Users for Role icon besides the role name, the List Users for Role page is displayed.

Figure 4-10 Scoped Attributes

Click the Set Attribute Values icon. The Set Attributes Values page is displayed

Figure 4-11 .Set Attribute Values

Enter the values for User Attributes (ID as 789) and Role Attributes (Val as 4). Click Save. The PDP considers the original entity type attributes (ID as 123 and Val as 8) not the scoped attribute while doing the rule evaluation.

For example, a role Role1 of type RoleType1 is mapped to a resource Res2. Click Set Rule(s) on Selected Policy icon. The Create/Update Role page is displayed.

Figure 4-12 Create or Update Role

Set the following values for the rule:

LHS=ROLE:RoleType1:Val

Operator=equalto

RHS=8. Click Set Rules.

In the PEP request, CEPM checks if the Value is equal to 8. If Yes, then provides access to the resource, Res2 to the requesting user, Joe . If No, then denies access to the resource, Res2 to the requesting user, Joe.


Note The Scoped Attributes do not participate in the rule evaluation.


Inclusive or Exclusive Assignment: When a dynamic role is assigned to a user, the assignment (User Role Status) can be set to inclusive or exclusive. This distinction is based upon the availability of the rule configured on the dynamic role. If set to inclusive, the rule on the role gets executed, and even if the rule is evaluated to false, the user is treated exceptionally and granted access to the resources. However, if you select exclusive, even though the rule on the role is satisfied, you are excluded and hence denied access.

For example, the dynamic role NY Trader has a rule that says Location equals to New York and this role is assigned to Mary and Tom (see Inclusive or Exclusive Assignment). Mary is in New York whereas Tom is in Chicago. You also have an Allow:NY Trader policy on View Trades. When you click the Attribute button of Mary, the Set Attributes Values window is displayed.

Figure 4-13 Inclusive or Exclusive Assignment

If you set the user role status to inclusive, though Mary belongs to New York and satisfies the rule, Mary is granted access as she is marked exclusive. Tom, who does not satisfy the rule as Tom is in Chicago, is exceptionally granted access, as Tom is marked inclusive.

Assigning Multiple Users to a Group

You can assign multiple users to a group in PAP.

To assign multiple users to a group, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Assignments > Add Users to Groups.

The Assign Users to Groups page is displayed.

Step 2 Select the application, application group, or Global under which the users are to be assigned to the groups.

Step 3 Select the appropriate context by clicking the Context icon in the upper-right side of the page.

All the users and groups pertaining to the above selected application, application group, or Global are displayed in the Users section and Groups section respectively.

Figure 4-14 Assigning Multiple Users to Group

Step 4 To search for a particular user or for a particular group, enter the appropriate search criteria and search value in the Search section for users and groups.

Step 5 From the Users list, select the check boxes for the users for whom the groups need to be assigned.

Step 6 In the Groups list, click the Map Users icon beside the group name to which you want to assign the selected users.

You have mapped the users to the groups.

You can also view the users that are assigned to a group by clicking the List Users icon near the group name.


Deleting a User

The User Management page (Manage Entities > Users) allows you to delete application users from the PAP console based on the following conditions:

A single user can be deleted by checking the check box next to the user name and then clicking either the Delete button or the Delete link.

Multiple users can be deleted in the same way by checking the check boxes adjacent to each user and then clicking the Delete button or link.

All the users on the List Users page can be deleted by clicking the Select All link and then clicking the Delete button or link.

All the users under the selected application/application group/Global can be deleted by clicking the Delete All link.

Click Clear All link to unselect all the check boxes that are next to all the user names.

Clone User

In CEPM, cloning refers to copy by value. A cloned user is identical to the parent user in all aspects except the name. All the attributes and properties of the parent user gets copied to the cloned user. For example, if User1 is cloned as User2, the latter inherits the membership of all the user group and roles to which the former belongs. In addition to this, User2 also inherits all the entitlements defined for User1. Editing the parent user automatically updates the cloned user.

To create a clone of an existing user in the User Management page, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 Select the appropriate application, application group, or Global under which the user to be cloned exists.

A list of all the users in the selected application, application group, or Global is displayed. You can search for the user who you want to clone.

Step 3 From the List Users section, select the user check box whose clone has to be created (parent user) and click the Clone User.

A page is displayed where you can search for the user who you want to make as a clone of the parent user.

Step 4 From the List Users section, check check box for the user which you want to make as the clone of the parent user and click Continue.

The Clone confirmation page is displayed summarizing the users that are selected for the cloning process. It also provides you with an option to override existing roles. If you select yes for the Override Existing Roles, then the cloned user's existing role memberships are deleted and the parent user's role memberships are copied to the cloned user. If No is selected for the Override Existing Roles, then the cloned user retains the existing role memberships and also inherits the parent user's role memberships.

Figure 4-15

Clone User

Step 5 Click Finish to complete the cloning process or click Back to modify the users that are selected for the cloning process.

You can check whether the mappings and policies of the cloned user are matched with the parent user.


Copy Entitlements

In CEPM, there is a clear distinction between Cloned User and Copy Entitlement functionalities. As mentioned earlier, cloning is copy by value whereas copy entitlements is copy by reference. You can copy entitlements of one user to another user. All the policies of one user get copied to the other user. Unlike the Cloned User, after configuring the copy entitlements, the policies inherited by the copied user from its parent are not visible in the UI. The PDP will evaluate the access request by making reference to the access permissions of its parent user. For example, if User1 has an Allow policy on a resource "View Reports" and you copy entitlements of User1 to User2, you cannot view the policy for User2 on the said resource in the PAP UI. But in the runtime, if User2 sends an access request for "View Reports", the PDP checks whether any Copy Entitlements are configured on this user. If it is done, it will give permit decision for User2 with reference to the permissions granted for User1 on the requested resource.

To copy entitlements of one user to another user, follow these steps:


Step 1 Choose Manage Entities > Users.

The User Management page is displayed.

Step 2 Select an appropriate application, application group, or Global.

A list of all the users in the selected application, application group, or Global are displayed. You can search for the user whose entitlements you want to copy.

Step 3 From the List Users section, select the user check box whose entitlements need to be copied (parent user) and then click the Copy Entitlement icon.

The Copy User page is displayed where you can search for the user to whom you want to copy the entitlements from the parent user.

Figure 4-16 Copy Users

Step 4 From the List Users section, select check box for the appropriate user and then click Continue.

The Copy Confirmation page is displayed.

Figure 4-17 Copy Confirmation

The Copy Confirmation page contains the summary of the users that are selected for the copy entitlements operation. It also provides you with an option to set the time frame (From Date and To Date). If a particular time frame is provided, the copied entitlements are applicable for this specified time frame to the copied user. If no value is entered for the time frame, the copied entitlements are considered to be invalid. The behavior of the PAP system is as if the copied entitlements are not applied to the copied user.

You can also model the recurrence relationship for these settings in order to avail the same entitlements to the selected user (to whom you have delegated your entitlements) on every recurrence period.


Note The recurrence period is in effect unless and until anything contrary to it is defined. You can also disable recurrence by selecting Clear Recurrence from the list.


The following recurrence period can be defined for this purpose:

Daily—This enables the recurrence of the copied entitlements on a daily basis. Either you can assign your entitlements to the copied user on every day or only for the weekends by selecting the corresponding option (as shown in Recurrence-Daily).

Figure 4-18 Recurrence-Daily

Weekly—If the From Time and To Time falls within the same week and Weekly is selected, the copy entitlement is in effect on a weekly basis on the defined recurrence time period.

Figure 4-19 Recurrence-Weekly

You can select multiple days of a week on which the copied user can utilize your entitlements.

Monthly—You can set the recurrence of the copy entitlement on monthly basis as follows:

Figure 4-20 Recurrence-Monthly

You get two options for this purpose:

One particular day of the month, you can set the monthly recurrence period to a particular day of every month. To do this you must select the first option (as shown in Recurrence-Yearly) and enter a number (between 1 to 31) and all your entitlements are available for the copied user on the specified day of every month.

Using the second option, you can select first or second or third or fourth or last day (Monday to Sunday) of the month for recurrence of the copied entitlements.

Yearly—You can set the recurrence of the copy entitlement on a yearly basis.

Figure 4-21 Recurrence-Yearly

It is similar to the monthly recurrence period with an additional option of selecting the month so that the copied entitlements are in force on the specified days of every month.


Note If you do not specify the Time Range and set the Recurrence to any (that is Daily/Weekly/Monthly/Yearly), CEPM executes the policy and give decisions on the set recurrence only. For Example a policy Allow:Test with recurrence set to Daily > Every weekend, the policy when executed every weekend will give the decision as Allow. Executing that policy during the weekdays will result in Deny permission.


Clear Recurrence—When you click this option and save the setting, the recurrence of copy entitlement is terminated.

Step 5 Click Save to complete the copy entitlements process or click Back to modify the users that are selected for the copy entitlements operation.


Viewing Entitlements

You can view the list of entitlements for a particular user in the User Management page.

To view the list of entitlements for a particular user, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 Select the appropriate application, application group, or Global.

A list of all the users in the selected application, application group, or Global is displayed. You can search for the user whose entitlements you want to view.

Step 3 From the List Users section, check the User check box whose entitlements you want to view and then click the View Entitlements icon.

A page is displayed with the list of resources that the selected user is permitted to access. The list of resources are displayed in the form of a Global resource tree that lists all the resource names, some are red and some are green. The green resource indicates that the selected user is permitted to access that resource and the red resource indicates that the selected user does not have permission to access that resource.


Defining Entitlements

You can define the entitlements for a particular user in the User Management page.

To define the entitlements for a particular user, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 Select the appropriate application, application group, or Global.

A list of all the users in the selected application, application group, or Global is displayed. You can search for the user for whom you want to define the entitlements.

Step 3 From the List Users section, select the user check box for whom you want to define the entitlements and then click the Define Entitlements icon.

The Policy Management By User page is displayed. For more information, refer to Entitlement Management by Users, page 5-1.


Viewing Role and Group Memberships of a User

You can view the role and group memberships of a user in the User Management page.

To view the role and group memberships of a user, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 Select the appropriate application, application group, or Global.

A list of all the users in the selected application, application group, or Global is displayed. You can search for the user whose role and group memberships you want to view.

Step 3 In the List Users section, select the check box beside the user name whose role and group memberships you want to view and then click the Role/Group icon.

The List User Roles Groups page is displayed, which contains the role and group memberships of the selected user. The page also shows the list of users whose entitlements have been copied to this user.

Figure 4-22 List User Roles Group


Note The list also contains the dynamic roles/groups assigned to the selected user only after the rule is evaluated the rule for the concerned dynamic group/role. The concerned dynamic group/role will be displayed in the list only if the rule configured on it is satisfied for the selected user. For example, if Mary is mapped to a dynamic role called Role 3, when you select Mary for viewing her roles and groups, the PAP sends a request to the respective PDP to evaluate the rule configured on Role 3. If the rule is satisfied for Mary, only Role 3 is displayed in the list. If not, the role is not displayed, even though Mary is mapped to Role 3.



Importing Users

You can import users from an XML file or from an LDAP into a particular application, application group, or Global in the PAP. The XML files are generated by using the Export Users features, which is discussed in the next chapter. The Import entity is level-specific. Importing application group entities can be done in application group level only. Similarly se you can import application entities within applications only. While importing users, you must ensure that the users imported are specific to the selected application level (application groups or applications). This means importing of users in the application group level must be done from the application group only. For example, you have two application groups (AppGrp1, AppGrp2) and two applications (App1 under AppGrp1 and App2 under AppGrp2). While using this feature, you can import users of AppGrp1 to AppGrp2 only and not to application level (App1 and App2). Similarly, applies to the application level as well. You can import users from App1 to App2, but not to AppGrp2.

To import the users, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 Select the appropriate application group or application under which you want to import the users. As mentioned above, if you select application group, you can import users only from other application group and not from the application level.

From the page shown in Import Users from XML or LDAP, you can import users from XML or from an LDAP/AD.

Figure 4-23 Import Users from XML or LDAP

Importing Users from an XML File

To import users from an XML file, follow these steps:


Step 1 On the User Management page, choose Import > From XML. A dialog box for importing the user information from XML file is displayed

Figure 4-24 Importing Users from an XML file

Step 2 Browse for the XML file, select the file and click Save. The users are imported into PAP.


Import Users from an LDAP

To import users from an LDAP, follow these steps:


Note Before importing users into PAP, the user attribute source needs to be created. Refer to Add User Attribute Source, page 7-4 for more details about creating the user store.



Step 1 On the User Management page, choose Import > From LDAP. The Import user page is displayed.

Figure 4-25 Import Users from an LDAP

Step 2 In the Search Users field, enter the LDAP tree structure for user identification.

Step 3 In the Filter field, enter the value for filter parameters.


Tip Different tree structures and filter parameters prescribed for different types of LDAPs are provided here.


Sun One Server:

Search Users: ou=people,ou=external,dc=cepm,dc=in

Filter: (&(uid=p*)(mail=p*)) or uid=p*

Novell eDirectory Server:

Search Users: cn=people,o=cepm-net

Filter: cn=b*

Active Directory 2000 Server:

Search Users: ou=people,ou=users, dc=win2k-ad,dc=cepm,dc=net

Filter: cn=p* or sAMAccountName=* or sAMAccountName=v*

Do not specify the ( or ) or &.

In the Search Users text box, you can type in the base directory to search. For example, ou=people,ou=external,dc=cepm,dc=net. For a refined search, you can also specify the filter as uid=s* in the Filter text box.

Step 4 Select the user type (by default Global:Default is selected). Select the appropriate user-store.


Note In general, you can import users of a specific usertype from LDAP into CEPM. These users get imported without bearing any attribute value unless marked mandatory. If the users of usertype containing mandatory attributes are imported, the following attribute values are shown as the default values in the PAP console:

For attributes of type String—A space character is shown as the attribute value.

For attributes of type Int—The digit 0 (zero) is shown as the default attribute value.

For attributes of type Enum (single or multiple)—First enum value is selected as the default value.

For attributes of type Float—The digit 0 (zero) is shown as the first attribute value.

For attribute of type Password—A space character is shown as the first attribute value.

Step 5 Click Search. All the users who match the Search and Filter criteria are displayed in the List Users section.

Step 6 Click Import > All to import all the displayed users into PAP. You can import specific users by selecting them in the List Users section and clicking Import > Import Selected.


Note For Active Directory (AD), the MaxPageSize parameter is set to 1000 by default. Thus, if the number of users exceed 1000, you may get an error while importing the users from AD. To resolve this, set the MaxPageSize parameter to a number depending upon your user count. For example, if the number of users existing in AD is 50000, edit the MaxPageSize parameter to 50000.



Exporting Users

You can export PAP users from a particular application, application group, or Global to an MS Excel file or to an XML file.

To export the users, follow these steps:


Step 1 Choose Manage Entities > Users. The User Management page is displayed.

Step 2 Select an appropriate application, application group, or Global from which you want to export the users.

The User Management page contains the Export button for exporting users.

From this page, you can import users to an XML file or to a MS Excel file.

Figure 4-26 Exporting Users

Exporting Users to an MS Excel File

To export users to an MS Excel file, follow these steps:


Step 1 On the User Management page, choose Export > To Excel. A dialog box for opening or saving the users information in MS Excel format is displayed.

Step 2 Click Save to save the Users.xls file to an appropriate location.

The Excel file contains the information similar to the following table.

Figure 4-27 Exporting Users to an Excel file


Export Users to an XML File

To export users to an XML file, follow these steps:


Step 1 On the User Management page, choose Export > To XML. A dialog box for opening/saving the user information in XML format is displayed.

Step 2 Click Save to save the Users.xml file to an appropriate location.

The XML file contains the following code:

<users timestamp="20/03/2009 15:51:12" version="CEPM-V3.3.0.0">
    <user>
        <userName>John</userName>
        <parentFQN>Prime group</parentFQN>
        <useremail>jsmit@xyz.net</useremail>
        <firstName>John</firstName>
        <lastName>Smith</lastName>
        <password/>
        <userBelongsTo>db</userBelongsTo>
        <userStoreDetails>USER BELONGS TO LOCAL DB</userStoreDetails>
        <status>Active</status>
        <superuser>false</superuser>
        <userType>
            <name>Default</name>
            <description>default</description>
            <applicationName>Global</applicationName>
        </userType>
        <copyusers/>
    </user>
    <user>
        <userName>Mary</userName>
        <parentFQN>Prime group:Prime portal</parentFQN>
        <useremail>mwong@xyz.net</useremail>
        <firstName>Mary</firstName>
        <lastName>Wong</lastName>
        <password/>
        <userBelongsTo>db</userBelongsTo>
        <userStoreDetails>USER BELONGS TO LOCAL DB</userStoreDetails>
        <status>Active</status>
        <superuser>false</superuser>
        <userType>
            <name>Default</name>
            <description>default</description>
            <applicationName>Global</applicationName>
        </userType>
        <copyusers/>
    </user>
</users>

User Types

You can classify users by creating user types under an application, application group, or Global. For example, the application users may be located in various geographical regions. You can classify a new user on regional basis by creating a user type region as an attribute. Creating a user type is optional as Default User type is already available in the application at the Global level.

For Updating a User Type

To create or update a user type, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Types > User Types. The User Types page is displayed.

Figure 4-28 User Type Home page

Step 2 Select the appropriate application, application group or Global for which you want to create or update a user type.

Step 3 To create a new user type, click Add. To update an existing user type, select the check box beside that user type and click the Edit icon. The Create or Update User Types page is displayed.

Figure 4-29 Craete or Update UserType

Step 4 Enter the following information in this page for creating or updating the user type:

User Type Name—Name of the user type.


Note The user type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-) and underscore(_).


Description—Description of the user type.

Attributes—You can add multiple attributes to a user type by clicking the Add Attribute button.

Each user type attribute contains the following information.

Attribute Name—Name of the attribute

Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.

Value Type—Select Single if you want the attribute to return a single value. Select Multiple if you want the attribute to return multiple values.

Attribute View—Select Yes if you want to view that attribute in the users list in Manage Entities > Users page as a column. If you select No, that attribute is not displayed as columns in the users list.

Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an user type. To this effect, the Attribute value field for the corresponding attribute in the Create User Type page will be shown as a mandatory field. For example, an User type called UT1 of attribute type String is created and the Mandatory field is set to Yes. While creating an user using this user type, you will find the UT1 field as mandatory.

Step 5 Click Save to save the user type information.


Group Management

The administration console simplifies the complex security administration by using user groups to organize access privileges. This operation is performed by using group hierarchies and constraints to configure a wide range of security policies. In the administration console, rights can be granted to an individual user as well as multiple users in a group to access the resources in the application.

Group management functionality allows you to carry out the following functions related to the management of user groups:

List or search for groups

Create or edit a group

Delete groups

Import groups

Create group types

Listing or Searching for Groups

To view the list of groups or search for a group in a particular application, application group or Global, follow these steps:


Step 1 Choose Manage Entities > Groups. The Group Management page is displayed.

Figure 4-30 Group Home Page

Step 2 From the Select Application drop-down list, select an application, application group or Global.

A list of groups associated with the selected application, application group or Global is displayed in the List Groups section in the same page. You can click the expand link to view all the groups in the list.

Step 3 Search for a particular group in the Search section by group name.

Figure 4-31 Search section

This section allows you to search for specific group depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria for searching for the groups:

Search for Group by Group Name

Default

Other available Group Types

Enter the value to search in the text box.You can also use the asterisk character (*) as a wild card character, as part of the search value.

Example: To get the list of all the groups having M as the first character in their name, enter search value as M*, and click Search. The list of groups matching the search criteria and search value is displayed in the List Groups section.

Click Clear to clear the value entered in the search value text box.


Note Based on the selection of the Application the search result will be displayed. For example if Global is selected in the application list, the groups belonging to that application (that is Global) will be displayed in the search result.


You can click the following icons in the List Groups page to perform the operations described here:

Click the Create Group button to create a new group under Global, application group, application, or group. For more information, refer to Creating or Updating Groups.

Click the Edit Group icon to edit the information of an existing group. For more information, refer to Creating or Updating Groups.

Click the Delete Group icon to delete a group. For more information, refer to Deleting a Group.

Click the Import Group icon to import groups into the selected application group or application from LDAPs, such as Sun One Server, Novell eDirectory Server, and Active Directory Server. For more information, refer to Importing Groups.



Creating or Updating Groups

To create/update a group in a particular application, application group, existing user group or Global follow these steps:


Step 1 Choose Manage Entities > Groups. The Group Management page is displayed.


Note The group names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), forward slash(/), asterisk(*), hypen(-), underscore(_) and at sign(@).


Step 2 From the Select Application drop-downdrop-down list, select the appropriate application, application group or Global for which you want to create a group.

Step 3 In the List Groups section, click the Create Group icon beside the application, application group, existing user group or Global under which you want to create the group. To update existing group information, click the Edit Group icon beside the group name.

The Create/Update Group page is displayed.

Figure 4-32 Create or Update Group

Step 4 Enter the following information on this page for creating/updating the group:

Group: Select either New Group or Reference (refer to Creating, Updating, or Deleting Group Types).

Group Name: Name for the group.

Description: Description for the group.

Group Status: Select either Static or Dynamic. (For more information on Dynamic group, refer to Dynamic Role/Group.).

Reference: This is enabled only if you create the group as a Reference group. Select the appropriate reference group from this list. (For more information on Reference Group, refer to Reference Role/Group.)

Group Type: Select an appropriate group type for this group. Clicking View Attributes displays the attributes associated with the group type. By default, the value selected for the group type is Global:Default. You can create a new group type by clicking the Create New Group Type link beside this list box.

Step 5 Click Save to save the above information in the PAP.

Step 6 You can assign this group to users, roles and resources on this page. To do this assignment, click Next or click the appropriate tab i.e. Assign Roles, Assign Groups, or Assign Resources, to assign this group to appropriate roles, groups, or resources.

Step 7 Click Done after you have created the new group and assigned it to appropriate roles, groups or resources.


Note Assigning the new group to users, roles, and resources is not mandatory on this page. This operation can also be carried out later using either of the following methods, after the group is successfully created in the PAP.


a. In the Group Management page (Manage Entities > Groups), click the Edit icon that is beside the group name, for which you want to assign users, roles or resources. The Create/Update Group page is displayed. On this page, you can click the appropriate tab, Assign Users, Assign Roles or Assign Resources, to assign this group to appropriate users, roles or resources. You can also click Next to navigate through these tabs one by one.

b. You can click the links Add Groups to Roles and Add Users to Groups that are on the Manage Entities > Advanced > Entity Assignments page, to add the group to roles and to add users to groups.


Assigning Users to a Group

After creating a group, you can assign users to it.

To assign users to a group, follow these steps:


Step 1 On the Create/Update Groups page, click the Assign Users tab. The Assign Users page is displayed.

Figure 4-33 Assigning Users to Group

Step 2 If a large number of users are under the selected application, you can search for a particular user(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a user, enter the full name (not the fully qualified name) or first few characters of the user name, select the Search user from the drop-down list and click Search. All the users matching the search input are displayed.

Step 3 Assign a context for the user-group association that you are going to create by clicking the Context icon that is near the context label. A list of contexts is displayed.

Step 4 Select the appropriate context from the list to apply the context to the user-group association.

The Assign Users page contains two list boxes side-by-side. The Users list box contains the users that are not assigned to the group. The Assigned Users list box contains the users that are assigned to the group.

Step 5 To assign a user to the group, select that user in the Users list box and then click the Assign icon. The selected user is moved from the Users list to the Assigned Users list.

Step 6 To unassign the assigned users in the Assigned Users list box, click the user name and click the Unassign icon. The selected user is unassigned and it is moved from the Assigned Users list to the Users list.

Step 7 To set the group attribute and group attribute values to this user-group association select the assigned user and click the Set Attribute Values icon near the actions label.

Step 8 Click Save to complete the user-group association.


Assigning Roles to a Group

After creating a group, you can assign roles to it.

To assign roles to a group, follow these steps:


Step 1 On the Create/Update Groups page, click the Assign Roles tab. The Assign Roles page is displayed.

Figure 4-34 Assigning Roles to Group

Step 2 If a large number of roles are under the selected application, you can search for a particular role(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a role, enter the full name (not the fully qualified name) or first few characters of the role name, select the Search role from the drop-down list and click Search. All the roles matching the search input are displayed.

Step 3 Select the appropriate role bundle from the Role Bundle list.

Step 4 Assign a context for the group-role association that you are going to create by clicking the Context icon near the context label. A list of contexts is displayed.

Step 5 Select the appropriate context from the list to apply the context to the group-role association.

The Assign Role page contains two list boxes side-by-side. The Roles list box contains the roles that are not assigned to the group. The Assigned Roles list box contains the roles that are assigned to the group.

Step 6 To assign a role to the group, select that role in the Roles list box and click the Assign icon. The selected role is moved from the Roles list to the Assigned Roles list.

Step 7 To unassign the assigned roles in the Assigned Roles list box, click the role name and click the Unassign icon. The selected role is unassigned and it is moved from the Assigned Roles list to the Roles list.

Step 8 To set the group attribute and role attribute values to this group-role association, select the assigned role and click the Set Attribute Values icon near the actions label.

Step 9 Click Save to complete the group-role association.


Assign Resources to a Group

After creating a group, you can assign resources to it.

To assign resources to a group, follow these steps:


Step 1 On the Create/Update Groups page, click the Assign Resources tab. The Assign Resources page is displayed.

Figure 4-35 Assign Resources to Group

Step 2 If a large number of resources are under the selected application, you can search for a particular resource(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a resource, enter the full name (not the fully qualified name) or first few characters of the resource name, select the Search resource from the drop-down list and click Search. All the resources matching the search input are displayed.

Step 3 Assign a context for the group-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed.

Step 4 Select the appropriate context from the list to apply the context to the group-resource association.

The Assign Resources page contains three list boxes side-by-side. The Resources list box contains the resources that are not assigned to the group. The Allowed Resources and Denied Resources list boxes contain the resources that are assigned to the group, with either the Allowed permission or the Denied permission.

Step 5 To assign a resource to the group with Allowed permission, select that resource in the Resources list box and click the Assign Allowed Resources icon. The selected resource is moved from the Resources list to the Allowed Resources list.

Step 6 To assign a resource to the group with denied permission, select that resource in the Resources list box and click the Assign Denied Resources icon. The selected resource is moved from the Resources list to the Denied Resources list.

Step 7 To unassign the assigned resources in the Allowed Resources or Denied Resources list box, click the resource name and click the Unassign icon. The selected resource is unassigned and it is moved from the Allowed Resources or Denied Resources list to the Resources list.

Step 8 For the group-resource association you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.

All this can be achieved by selecting the assigned resource and clicking the appropriate icon near the actions label as explained here:

a. Add rule—Click the icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy, page 5-11.

b. Configure the Policy Combining Algorithm—Click the icon . The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm, page 5-4.

c. Add attributes to return—Click the icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation, page 5-5.

d. Add policy attributes—Click the icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes, page 5-8.

e. Edit policy—Click the icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations, page 5-6.

Step 9 Click Save to complete the group-resource association.


Assigning Multiple Users to a Group

Refer to "Assigning Multiple Users to a Group" section.

Assigning Multiple Groups to a Role

You can assign multiple groups to a role in the PAP.

To assign multiple groups to a role, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Assignments > Add Groups to Roles. The Assign Groups to Roles page is displayed.

Step 2 Select the application, application group or Global under which the groups to be assigned to the roles exist.

Step 3 Select the appropriate role bundle from the Role Bundle list.

Step 4 Select the appropriate context by click the Context icon in the upper-right side of the page.

All the groups and roles pertaining to the selected application, application group or Global are displayed in the Groups section and Roles section respectively.

Figure 4-36 Assigning Multiple Groups to a Role

Step 5 Search for a particular group or for a particular role by entering the appropriate search criteria and search value in the Search section for groups and roles.

Step 6 From the Groups list, select the check boxes for the groups for whom the roles need to be assigned.

Step 7 In the Roles list, click the Map Groups icon beside the role name to which you want to assign the selected groups.

This completes the mapping of the selected groups to the selected roles. You can also view the groups that are assigned to a role by clicking the List Groups icon near that role name.


Note Under a selected application group, if you map a group to a role (both of which are created under an application), the mapped group will not be displayed. For example, if you select an application group called Prime group under which Prime portal is an application, and map a group (Prime group:Prime portal:Group1) to a role (Prime group:Prime portal:Role1), Group1 cannot be displayed when you click the List of group icon for Role1.



Deleting a Group

The Group Management page (Manage Entities > Groups) allows you to delete groups that are already created under Global, application group, application or group. Click the delete icon near the group name to delete that group from the PAP.

Importing Groups

The CEPM provides the functionality of importing groups into PAP from LDAPs, such as Sun One Server, Novell eDirectory Server, and Active Directory Server. The Import entity ability is level-specific. Groups Importing application group entities can be done in application group level only. Likewise you can import application entities under applications only.

While importing groups you must ensure that the groups imported are specific to the selected application level (application groups or applications). This means importing of groups in the application group level must be done from the application group only. For example, you have two application groups (AppGrp1, AppGrp2) and two applications (App1 under AppGrp1 and App2 under AppGrp2). While using this feature you can import groups of AppGrp1 to AppGrp2 only and not to application level (App1 and App2). Similarly, it is applied to application level, that is, you can import groups from App1 to App2 but not to AppGrp2.


Note Before importing groups into PAP, user attribute source needs to be created. For more information about creating the user store, refer to User Attribute Sources, page 7-29.


To import the groups in the PAP, follow these steps:


Step 1 Choose Manage Entities > Groups.

The Group Management page is displayed.

Step 2 Select the appropriate application or application group under which you want to import the groups.

Step 3 In the List Groups section, click the Import icon beside the application/application group under which you want to import the groups.

The Import Groups page is displayed.

Figure 4-37 Import Groups

Step 4 In the Search Groups field, enter the LDAP tree structure for group identification.

Step 5 In the Filter text box, enter the value for Filter parameters.


Tip Different tree structures and filter parameters prescribed for different types of LDAP servers are given here:


Sun One Server:

Search Groups: ou=people,ou=external,dc=cepm,dc=in

Filter: cn=p*

Novell eDirectory Server:

Search Groups: cn=people,o=cepm-net

Filter: cn=p*

Active Directory 2000 Server:

Search Groups: ou=people,ou=users, dc=win2k-ad,dc=cepm,dc=net

Filter: cn=p*

In the Search Group text box you can type in the base directory to search, for example, ou=people,ou=external,dc=cepm,dc=in. For a refined search you can also specify the filter as cn=p* in the Filter text box.

Step 6 Select the appropriate user-store.

Step 7 Select the group type. By default it is selected to Global:Default.


Note If a group of group type containing mandatory attributes are imported, the following attribute values are shown as the default values in the PAP console:

For attributes of type String: A space character is shown as the attribute value.

For attributes of type Int: 0 (Zero) is shown as the default attribute value.

For attributes of type Enum (single or multiple): First enum value is shown as the default attribute value.

For attributes of type Float: 0 (Zero) is shown as the first attribute value.

For attribute of type Password: A space character is shown as the first attribute value.

Step 8 Click Search. All the groups matching the Search and Filter criteria are displayed in the List Groups section.

Step 9 Click Import. The groups displayed in the List Groups section are created in the PAP.


Creating, Updating, or Deleting Group Types

You can classify groups by creating group types under an application, an application group, or Global. For example, the application groups may be located in various geographical regions. You can classify a new group on regional basis by creating a group type including the region as an attribute. Creating a group type is optional because the Default group type is already in the application at the Global level.

To create, update or delete a group type, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Types > Group Types. The Group Types page is displayed.

Figure 4-38 Group Type page

Step 2 From the Select Application drop-down list, select an appropriate application, application group or Global for which you want to create a group type.

Step 3 To create a group type, click Add. To update an existing group type, select the check box near the group type and click the Edit icon. To delete an existing group type, select the check box near the group type and click the Delete icon.

If you clicked the Add button or the Edit icon, the Create/Update Group Types page is displayed.

Figure 4-39 Create or Update Group Type

Step 4 Enter the following information in this page for creating/updating the group type:

Group Type Name—Name of the group type.


Note The group type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-) and underscore(_).


Description—Description of the group type.

Attributes—You can add multiple attributes to a group type by clicking Add Attribute.

Each group type attribute contains the following information.

Attribute Name—Name of the attribute

Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.

Value Type—Select Single, if you want the attribute to return a single value. Select Multiple, if you want the attribute to return multiple values.

Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an application. To this effect, the Attribute value field for the corresponding attribute in the Create Group Type page will be shown as a mandatory field. For example, an group type called General of attribute type Enum is created and the Mandatory field is set to Yes. While creating a group using this group type, you will find the General field as mandatory.

Step 5 Click Save to save the group type information in the PAP.


Role Management

The administration console simplifies the complex security administration by use of roles to organize access privileges. This operation is performed by using role hierarchies and constraints to configure a wide range of security policies. In the administration console, rights can be granted to an individual user as well as multiple users in a group or in a role to access various resources in the application.

Role Management functionality allows you to carry out the following functions related to the management of roles.

List and search for roles

Create or edit a role

Delete role

Import roles

Export roles

Create role types

Add SoD roles

Add DSoD roles

Listing or Searching for Roles

To view the list of roles or search for a role in a particular application, application group, or Global, follow these steps:


Step 1 Choose Manage Entities > Roles. The Role Management page is displayed.

Figure 4-40 Roles Page

Step 2 From the Select Application list, select an appropriate application, application group, or Global.

List of roles associated with the above selected application, application group, or Global is displayed in the List Roles section.

Step 3 Search for a particular role in the Search section by role name.

Figure 4-41 Search Section

This section allows you to search for specific role depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria for searching for the role:

Search for Role by Role Name

Default

Other available Role Types

Enter the value to search in the text box. You can also use the asterisk character (*) as a wild card character, as part of the search value.

Example: To get the list of all the roles having 'M' as the first character in their name, enter search value of M*, and click Search. The list of roles matching the search criteria and search value is displayed in the List Roles section.

Click Clear to clear the value entered in the search value text box.


Note Based on the selection of the Application the search result will be displayed. For example if Global is selected in the application list, the roles belonging to that application (that is Global) will be displayed in the search result.


You can click the following icons in the List Roles page to perform the operations described here:

Click the Create Role icon to create a new role under Global, application group, application, or role. For more information, refer to Creating or Updating a Role.

Click the Edit Role icon to edit the information of an existing role. For more information, refer to Creating or Updating a Role.

Click the Delete Role icon to delete a role. For more information, refer to Deleting a Role.

Click the Configure SoD Role icon to configure one or more roles under the selected application group, application, role or Global, as SoD roles. For more information, refer to Configuring SoD Roles.

Click the Configure DSoD Role icon to configure one or more roles under the selected application group, application, role or Global, as DSoD roles. For more information, refer to Configuring DSoD Roles.

Click the Import Role icon to import roles from an XML file into the selected application group or application. For more information, refer to Importing Roles.

Click the Export Role icon to export roles under the selected application group or application to an XML file. For more information, refer to Exporting Roles.



Creating or Updating a Role

To create/update a role in a particular application, application group, role, Global, follow these steps:


Step 1 Choose Manage Entities > Roles.

The Role Management page is displayed.

Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update a role.

Step 3 To create a new role, in the List Roles section, click the Create Role icon beside the application, application group, existing role, or Global under which you want to create the role. To edit an existing role, click the Edit Role icon near the role name. The Create/Update Role page is displayed.

Figure 4-42

Step 4 Enter the following information in this page for creating/updating the role.

Role—Select either New Role or Reference (refer "Reference Role/Group" section for more information).

Role Name—Name for the role.


Note The role names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), forward slash(/), asterisk(*), hypen(-), underscore(_) and at sign(@).


Descriptio—Description for the role.

Role Statu—Select either Static or Dynamic. If the Role Status selected is Dynamic, you can configure rules for the role by clicking the Advanced button. (For more information on Dynamic Role, refer to Dynamic Role/Group.)

Reference—This is enabled only if you create the role as a Reference Role. Select the appropriate Reference Role from this list. (For more information on Reference Role, refer to Reference Role/Group.)

Role Type—Select an appropriate role type for this role. Clicking Go displays the attributes associated with the role type. By default, the value selected for the role type is Global:Default. You can create a new role type by clicking the Create New Role Type link beside this list box.

Step 5 Click Save to save this information in the PAP.

Step 6 To assign this role to users, roles, and resources, click Next or click the appropriate tab i.e. Assign Users, Assign Groups or Assign Resources.

Step 7 Click Done after you have created/updated the new role and assigned it to appropriate users, groups or resources.


Note Assigning the new role to users, groups and resources is not mandatory on this page. This operation can also be done later using any of the following methods, after the role is successfully created in the PAP.


a. In the Role Management page (Manage Entities > Roles), click the Edit icon beside the role name, for which you want to assign users, groups, or resources. The Create/Update Role page is displayed. In this page, you can click the appropriate tab, Assign Users, Assign Groups, or Assign Resources, to assign this role to appropriate users, groups, or resources. You can also click Next to navigate through these tabs one by one.

b. You can click the Add Users to Roles and Add Groups to Roles links that are on the Manage Entities > Advanced > Entity Assignments section, to add users to roles and to add groups to roles.


Reference Role/Group

The Reference Role/Group functionality provides the mechanism to create the multiple copies of a role/group in the hierarchy of application groups, applications, groups, and roles in such a way that all the copies created are the references of the parent role/group. Thus, if the parent role/group is deleted, then all the related reference roles/groups also get deleted.

You cannot create a role/group by reference directly under an application group or an application. It can be created only under an existing role/group.

The Reference role/group is created while creating the role/group, by selecting the Reference option and the parent role name whose reference is to be created.

The following section describes in more detail about the way the reference role/group mechanism works.

Figure 4-43 Reference Role Hiearchy

If you want to add Role2 as a child of Role4 and Role5 in the preceding hierarchy, it is normally done by creating a new child role for Role4 and Role5 assigning it all the characteristics of Role2.

Instead of creating a new role, you can create the role as a reference of Role2 while adding it to Role4 and Role5.

Figure 4-44 Role addition

Though Role2 is displayed at different levels within the hierarchy, it is basically stored at a single place in PAP under Role1 and is referenced at different levels, under Role 4 and Role 5. All users added to Role1:Role2 at any level will still be reflected in all the Role2, for example, Role1:Role2, Role4:Role2 and Role5:Role2 will have the same set of users and the same set of Roles and policies. Role4:Role2 and Role5:Role2 will also inherit the roles/users/groups/policies from Role1:Role2.

Note that deleting the parent role (Role1:Role2) will delete all the referencing roles (Role4:Role2 and Role5:Role2).

Dynamic Role/Group

During the policy creation, when you want to apply the same set of rules for different policies, you can do so without repeating the rules-creation process by using Dynamic role/group. Dynamic role/group is created with the set of rules that you want to reuse in multiple policies.

Example: A Dynamic role called DynamicRole1 has been created with some rules. When you create an Allow policy for DynamicRole1 on the resource Resource1, the policy will inherit all the rules configured for the DynamicRole1 role.

Dynamic role/group is created while creating the role/group, by selecting the role/group status as Dynamic. Then click the Advanced button, which opens the Rule Editor page where you can configure the rules for the Dynamic role/group.

For information about configuring rules, refer to Add Rules to a Policy, page 5-11.

Assigning Users to a Role

After creating a role, you can assign Users to it.

To assign users to a role, follow these steps:


Step 1 On the Create/Update Roles page, click the Assign Users tab. The Assign Users page is displayed.

Figure 4-45 Assigning Users to Role

Step 2 If a large number of users are under the selected application, you can search for a particular user(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a user, enter the full name (not the fully qualified name) or first few characters of the user name, select the search user from the drop-down list and click Search. All the resources matching the search input are displayed.

Step 3 Select the appropriate role bundle from the Role Bundle list.

Step 4 Assign a context for the user-role association that you are going to create by clicking the Context icon near the context label. A list of contexts is displayed.

Step 5 Select the appropriate context from the list to apply the context to the user-role association.

The Assign Users page contains two list boxes side-by-side. The Users list box contains the users that are not assigned to the role. The Assigned Users list box contains the users that are assigned to the role.

Step 6 To assign a user to the role, select that user in the Users list box and click the Assign icon. The selected user is moved from the Users list to the Assigned Users list.

Step 7 To unassign the assigned users in the Assigned Users list box, click the user name and click the Unassign icon. The selected user is unassigned and it is moved from the Assigned Users list to the Users list.

Step 8 To set the role attribute and role attribute values to this user-role association, select the assigned user and click the Set Attribute Values icon near the actions label.

Step 9 Click Save to complete the user-role association.


Assigning Groups to a Role

After creating a role, you can assign groups to it.

To assign groups to a role, follow these steps:


Step 1 On the Create/Update Roles page, click the Assign Groups tab.

The Assign Groups page is displayed.

Figure 4-46 Assigning Groups to Role

Step 2 If a large number of groups are under the selected application, you can search for a particular group(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a group, enter the full name (not the fully qualified name) or first few characters of the group name, select the search group from the drop-down list and click Search. The groups matching the search input are displayed.

Step 3 Select the appropriate role bundle from the Role Bundle list.

Step 4 Assign a context for the role-group association that you are going to create by clicking the Context icon near the context label. A list of contexts is displayed.

Step 5 Select the appropriate context from the list to apply the context to the role-group association.

The Assign Group page contains two list boxes side-by-side. The Groups list box contains the groups that are not assigned to the role. The Assigned Groups list box contains the groups that are assigned to the role.

Step 6 To assign a group to the role, select that group in the Groups list box and click the Assign icon. The selected group is moved from the Groups list to the Assigned Groups list.

Step 7 To unassign the assigned groups in the Assigned Groups list box, click the group name and click the Unassign icon. The selected group is unassigned and it is moved from the Assigned Groups list to the Groups list.

Step 8 To set the role attribute and group attribute values to this role-group association, select the assigned group and click the Set Attribute Values icon near the actions label.

Step 9 Click Save to complete the role-group association.


Assigning Resources to a Role

After creating a role, you can assign resources to it.

To assign resources to a role, follow these steps:


Step 1 On the Create/Update Roles page, click the Assign Resources tab. The Assign Resources page is displayed.

Figure 4-47 Create or Update Role

Step 2 If a large number of resources are under the selected application, you can search for a particular resource(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a resource, enter the full name (not the fully qualified name) or first few characters of the resource name, select the resource from the drop-down list and click Search. All the resources matching the search input are displayed.

Step 3 Assign a context for the role-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed.

Step 4 Select the appropriate context from the list to apply the context to the role-resource association.

The Assign Resources page contains three list boxes side-by-side. The Resources list box contains the resources that are not assigned to the role. On the right side, the Allowed Resources and Denied Resources list boxes contain the resources that are assigned to the role, with either the Allowed permission or the Denied permission.

Step 5 To assign a resource to the role with Allowed permission, select that resource in the Resources list box and click the Assign icon. The selected resource is moved from the Resources list to the Allowed Resources list.

Step 6 To assign a resource to the role with Denied permission, select that resource in the Resources list box and click the Assign Denied Resources icon. The selected resource is moved from the Resources list to the Denied Resources list.

Step 7 To unassign the assigned resources in the Allowed Resources or Denied Resources list box, click the resource name and click the Unassign icon. The selected resource is unassigned and it is moved from the Allowed Resources or Denied Resources list to the Resources list.

Step 8 For the role-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.

You can click the following icons near the action label to perform the operations described here:

a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy, page 5-11.

b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm, page 5-4.

c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation, page 5-5.

d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes, page 5-8.

e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations, page 5-6.

Step 9 Click Save to complete the role-resource association.


Assigning Multiple Users to a Role

Refer to "Assigning Multiple Users to a Role" section.

Assigning Multiple Groups to a Role

Refer to "Assigning Multiple Groups to a Role" section.

Deleting a Role

The Role Management page (Manage Entities > Roles) allows you to delete roles that are already created under Global, application role, application, or role. Click the delete icon near the role name to delete that role from the PAP.

Importing Roles

You can import roles from an XML file into a particular application group or application in the PAP. The Import entity ability is level-specific. Importing application group entities can be done in application group level only. Likewise you can import application entities within applications only.

While importing roles you must ensure that the roles imported are specific to the selected application level (application groups or applications). This means importing of roles in the application group level must be done from the application group only. For example, you have two application groups (AppGrp1, AppGrp2) and two applications (App1 under AppGrp1 and App2 under AppGrp2). While using this feature you can import roles of AppGrp1 to AppGrp2 only and not to application level (App1 and App2). Similarly, it is applied to application level, that is, you can import roles from App1 to App2 but not to AppGrp2.

To import the roles in the PAP, follow these steps:


Step 1 Choose Manage Entities > Roles. The Role Management page is displayed.

Step 2 Select an appropriate application or application group under which you want to import the roles.

Step 3 In the List Roles section, click the Import icon beside the application/application group under which you want to import the roles. A dialog box for importing the roles information from XML file is displayed.

Figure 4-48 Import Roles

Step 4 Browse for the XML file, select it, and click Save. This imports the roles into the PAP.


Exporting Roles

You can export roles from a particular application group or application in the PAP to an XML file. The exported roles from an application group can be imported to other application group only and the same rule is applicable to applications.

To export the roles from PAP, follow these steps:


Step 1 Choose Manage Entities > Roles. The Role Management page is displayed.

Step 2 Select an appropriate application or application group from which you want to export the roles.

Step 3 In the List Roles section, click the Export icon beside the application or application group from which you want to export the roles. A dialog box for opening/saving the roles information in XML format is displayed.

Figure 4-49 Dialog Box

Step 4 Click Save to save the Roles.xml file to an appropriate location.


Note Data exported from V3.3.0.0 cannot be imported into the older version of CEPM such as V3.2.0.0



Role Types

You can classify roles with by creating role types under an application, application group, or Global. Creating a role type is optional because Default role type is already within the application at the Global level.

To create/update/delete a role type, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Types > Role Types. The Role Types page is displayed.

Figure 4-50 Role Type Page

Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update/delete a role type.

Step 3 To create a role type, click Add. To update an existing role type, select the check box near the role type and click the Edit icon. To delete an existing role type, select the check box near the role type and click the Delete icon. If you have clicked Add or the Edit icon, the Create/Update Role Types page is displayed.

Figure 4-51 Create or Update Role Type

You can enter the following information in this page for creating/updating the role type:

Role Type Nam—Name of the role type.


Note The role type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-) and underscore(_).


Description—Description of the role type.

Attributes—You can add multiple attributes to a role type by clicking Add Attribute.

Each role type attribute contains the following information.

Attribute Name—Name of the attribute

Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.

Value Type—Select Single, if you want the attribute to return a single value. Select Multiple, if you want the attribute to return multiple values.

Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an role. To this effect, the Attribute value field for the corresponding attribute in the Create Role Type page will be shown as a mandatory field. For example, an role type called Tester of attribute type String is created and the Mandatory field is set to Yes. While creating an role using this role type, you will find the Tester field as mandatory.

Step 4 Click Save to save the role type information in the PAP.


Configuring SoD Roles

Separation of Duty (SoD) policies ensure that groups of users who have distinctly different roles cannot knowingly or un-knowingly conspire to circumvent regulatory or enterprise controls put in place. Separation of Duty (SoD) of roles ensures that the users who have distinctly different roles do not have access to the same set of users, user groups, and resources. The SoD constraint on roles is implemented to restrict the information misuse and prevent fraudulent activities in the organization. This feature is applicable for user-to-role mapping and group-to-role mapping

Consider an example of a user Mary who is mapped to a role Analyst. Analyst is SoD to another role called Broker. Once the Sod is configured, CEPM prevents mapping of Mary to the role Broker. In case the Mary is mapped to both of these roles quite before the SoD role configuration, CEPM provides you an option to check the SoD role violation for a user in Auditing & Reporting section. In this section, if you want to check SoD violations for Mary, you can find all the roles that are SoD to each other.

This is achieved during the configuration of SoD for the appropriate roles in the PAP. Any SoD roles violations during this configuration process can be checked in the PAP, in the Auditing and Reporting section: Auditing & Reporting > Audit SoD Violations > SoD Roles.

To configure the SoD roles in PAP, follow these steps:


Step 1 Choose Manage Entities > Advanced > Role Constraints > SoD Roles. The SoD Roles page is displayed.

Step 2 From the Select Application drop-down list, select an appropriate application, application group or Global. The list of all the roles in the selected application, application group or Global is displayed.

Step 3 Click the SOD Role icon near the role name that you want to configure for SoD.

The List of SoD Roles page is displayed containing two list boxes side-by-side. The Roles list box contains all the roles under the selected application, application group or Global, that are not configured for SoD. The SoD Roles list box contains the roles that are configured for SoD.

Figure 4-52 SoD Roles

Step 4 To configure a role for SoD with the role that was selected in the earlier page, select that role in the Roles list box and click the Assign SoD icon. The selected role is moved from the Roles list to the SoD Roles list.

Step 5 To unassign the assigned roles in the SoD Roles list box, click the role name and click the Unassign SoD icon. The selected role is unassigned and it is moved from the SoD Roles list to the Roles list.

Step 6 Click Done to complete the SoD configuration operation.


Note You cannot do the SoD Role mapping for a dynamic role. Only static roles are enlisted in the Roles table. But DSoD Role mapping is possible with a dynamic role.



Configuring DSoD Roles

Dynamic Separation of Duties (DSoD) of roles prevents two or more roles from accessing the same resource at run time, i.e. when a PEP User requests for a resource, the request is analyzed in the PDP for the DSoD role violation and if the violation is found, then that PEP User is restricted from accessing the requested resource.

The CEPM implements the DSoD constraint on roles to restrict the information misuse in the organization.

To configure the DSoD roles in PAP, follow these steps:


Step 1 Choose Manage Entities > Advanced > Role Constraints > DSoD Roles. DSoD Roles page is displayed.

Step 2 From the Select Application list, select an appropriate application, application group, or Global.

The list of all the roles in the selected application, application group, or Global is displayed.

Step 3 Click the DSoD Role icon near the role name that you want to configure for DSoD.

Figure 4-53 DSoD Roles

The List of DSoD Roles page is displayed containing two list boxes side-by-side. The Roles list box contains all the roles under the selected application, application group or Global, which are not configured for DSoD. The DSoD Roles list box contains the roles that are configured for DSoD.

Step 4 To configure a role for DSoD with the role that was selected in the earlier page, select that role in the Roles list box and click the Assign DSoD icon. The selected role will be moved from the Roles list to the DSoD Roles list.

Step 5 To unassign the assigned roles in the DSoD Roles list box, click the role name and click the UnAssign DSoD icon. The selected role is unassigned and it is moved from the DSoD Roles list to the Roles list.

Step 6 Click Done to complete the DSoD configuration operation.


Role Bundles

Role bundle, like context, provides a fine-grained authorization mechanism. In the PAP, every user-role association and group-role association is configured against a role bundle. Role bundles are flat in structure. Role bundles comes into picture when user-role mapping, group-role mappings are done. For example, Mary can be assigned with Role1 under RoleBundle1 in an application at the same time she can be mapped to Role2 under RoleBundle2 within the same application.

A role bundle can be created under an application, application group or Global. The PAP creates a Default role bundle for every application, application group and Global.

To create/update/delete a role bundle, follow these steps:


Step 1 Choose Manage Entities > Advanced > Role Constraints > Role Bundles. The Role Bundles page is displayed.

Figure 4-54 Role Bundle

Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update/delete a role bundle.

Step 3 To create a new role bundle, click Add. To update an existing role bundle, select the check box near that role bundle and click the Edit icon. To delete a role bundle, select the check box near that role bundle and click the Delete icon. If you have clicked Add or the Edit icon, the Create/Update Role Bundle page is displayed.

Figure 4-55 Create Role Bundle

Step 4 Enter the following information to create/update the role bundle.

Role Bundle Name—Name of the role bundle.

Role Bundle Description—Description of the role bundle.

Step 5 Click Add. The role bundle is saved in the PAP.


Resource Management

A resource is an entity that represents application component that can be protected from unauthorized access using authorization policies. Resources can be specific application software components managed by the container (for example, URLs, EJBs, and JSPs) or any business object in the application. Resources may have attributes, for example, bank accounts can have minimum deposit amount and maximum withdrawal amount limit per day. Resources are hierarchical and child resources inherit policies and attributes from their parent in the resource hierarchy.

Resource Management functionality allows you to carry out the following functions related to the management of resources.

List and search for resources

Create or edit resources

Create a resource from external sources

Create resources with expression

Delete resource

Import resources

Export resources

Create resource types

Listing or Searching for Resources

To view the list of resources or search for a resource in a particular application, application group, or Global, follow these steps:


Step 1 Choose Manage Entities > Resources.

The Resource Management page is displayed.

Figure 4-56 Resource Page

Step 2 From the Select Application drop-down list, select an appropriate application, application group or Global. A list of resources associated with the selected application, application group or Global is displayed in the List Resources section. You can click the expand link to view all the resources that are in the list.


Note When there are large number of resources (say, in thousands) present under an application, you can view resources using pagination options such as `<< Prev' and `Next >>'. If you are using IE6 or IE7 browser, you may get an alert message after clicking the Next button multiple times (say 6-7 times) as shown in Alert Message:

Figure 4-57 Alert Message

You can temporarily avoid this problem in the following ways:

Click **NO** to continue with your navigation. This scenario may repeat after some span of time.

OR

Do the following Internet Explorer configurations

Using a Registry Editor such as Regedit32.exe, open this key:

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Styles

If the Styles key is not present, create a new key called Styles.

Create a new DWORD value called "MaxScriptStatements" under this key and set the value to the desired number of script statements (say 999999)

This setting will temporarily resolve this problem. It may reoccur once the number of script statements exceeds the given value.


Step 3 Search for a particular resource in the Search section by resource name.

Figure 4-58 Search Section

This section allows you to search for specific resource depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria for searching for the resource:

Search for Resource by Name

Other available Resource Types

Enter the value to search in the text box. You can also use the asterisk character (*) as a wild card character, as part of the search value.

Example: To get the list of all the resources having M as the first character in their name, enter search value of M*, and click Search. The list of resources having M as the first character in their name will be displayed in the List Resources section.

Click Clear to clear the value entered in the search value text box.

You can click the following icons in the List Resources page to perform the operations described below:

Click the Create Resource icon to create a new resource under Global, application group, application, or existing resource. For more information, refer to Creating or Updating a Resource.

Click the Edit Resource icon to edit the information of an existing resource. For more information, refer to Creating or Updating a Resource.

Click the Delete Resource icon to delete a resource. For more information, refer to Deleting a Resource.

Click the Copy Resource icon to create a copy of an existing resource. For more information, refer to Copying a Resource.

Click the Create Resource from External Source icon to create a resource from external sources like WSDL- (Web Services Description Language) compliant XML documents and Web Services as well as from relational databases like Oracle and MS SQL Server. For more information, refer to Creating Resources from External Sources.

Click the Create Resource from Expression icon to create resources using expression. This feature is used for creating a resource hierarchy in the PAP by providing a single expression. For more information, refer to Creating Resources with Expression.

Click the Import Resource icon to import resources from an XML file under the selected application group, application, resource, or Global. For more information, refer to Importing Resources.

Click the Export Resource icon to export resources under the selected application group, application, resource, or Global, to an XML file. For more information, refer to Exporting Resources.



Creating or Updating a Resource

To create/update a resource under a particular application or existing resource, follow these steps:


Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.

Step 2 From the Select Application drop-down list, select an appropriate application, application group, or Global under which you want to create/update a resource.

Step 3 To create a new resource, in the List Resources section, click the Create Resource icon near the application or existing resource under which you want to create the resource. To update an existing resource information, click the Edit Resource icon near the resource name.

The Create/Update Resource page is displayed.

Figure 4-59 Create or Update Resource

Step 4 Enter the following information in this page for creating/updating the resource:

Resource Name—Name for the resource.


Note The resource names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), asterisk(*), hypen(-), underscore(_) and at sign(@).It is important to note that you cannot include forward slash (/) in the resource name.


Description—Description for the resource.

Resource Status—Select either Active or InActive. InActive resources will not be accessible to any User. It is important to note that any child resources or actions created under an inactive resource become inactive until and unless anything to the contrary is defined.

Enable Xacml Logs—Selecting the Enable Xacml logs checkbox enables the log tracking of this resource.

Owner—This displays the owner name (Superuser or any other the PAP User name)

Resource Type—Select appropriate resource type for the drop-down list.To create a resource select Global:UNTYPE from the drop-down list. Clicking View Attributes and Action displays the attributes associated with the resource type. You can create a new resource type by clicking the Create New Resource Type link beside this list box.

Step 5 Click Save to save the above information in the PAP.

Step 6 To assign this resource to users, groups, and roles on this page, click Next or click the appropriate tab, Assign Users, Assign Groups, or Assign Roles.

Step 7 Click Done after you have created/updated the resource and assigned it to appropriate users, groups, or roles.


Note Assigning the new resource to users, groups, and roles is not mandatory on this page. This operation can also be carried out later using the Edit Resource functionality after the resource is successfully created in the PAP.


In the Resource Management page (Manage Entities > Resources), click the Edit resource icon beside the resource name for which you want to assign users, groups or roles. The Create/Update Resource page is displayed. On this page, click the appropriate tab, Assign Users, Assign Groups, or Assign Roles, to assign this resource to appropriate users, groups, or roles. You can also click Next to navigate through these tabs one by one.


Creating Resources from External Sources

The PAP provides the functionality to create resources from external sources like Web Services Description Language- (WSDL) compliant XML documents and Web Services as well as from relational databases like Oracle and MS SQL Server. This feature is useful while protecting WebServices and also protecting database tables using VPD Agent.

To create resources from external sources, follow these steps:


Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.

Step 2 Select the application under which you want to create resources from external sources.

Step 3 In the List Resources section, click the Create Resource from External Sources icon near the application name.

A page for creating resources from external resource is displayed. The Source Type list contains the two values: WSDL and Database.

Step 4 Select WSDL to create resources from a WSDL compliant documents or Web Services. Select Database to create resources from relational databases like Oracle or SQL Server.


Creating Resources from WSDL Source


Step 1 Select the Source Type as WSDL. The URL/File Name Type list box is displayed.

Step 2 If you want to create resources from an XML file, select File. The File text box is displayed where you can enter the location and name of the XML file containing the resources information to be created in the PAP.

Figure 4-60 Create Resource from WSDL Source

If you want to create a resource by calling a Web Service, select URL. The URL text box is displayed where you can enter the URL of the Web Service.

Step 3 Click Save to complete the resource creation using the selected WSDL source.


Creating Resources from Database Source


Step 1 Select the Source Type as Database. The Database Type list box is displayed.

Step 2 If you want to create resources from an Oracle database, select oracle. If you want to create resources from MS SQL Server database, select mssql and if you want to create resources from DB2, select DB2.

After selecting the database, the following text boxes are displayed where you need to enter the database connection details.

Figure 4-61 Create Resource from Database Source

Database URL—Database connection string. Example:

For Oracle—jdbc:oracle:thin:@localhost:1521:devbdb

For SQL Server—jdbc:sqlserver://localhost:3279; databaseName=cepm;SelectMethod=cursor

For DB2—jdbc:db2j:net://localhost:50000/cepmtest

Driver Name—Name of the database driver class. Example:

For Oracle—oracle.jdbc.driver.OracleDriver

For SQL Server—com.microsoft.sqlserver.jdbc.SQLServerDriver

For DB2—com.ibm.db2.jcc.DB2Driver.jcc.DB2Driver

User Name and Password: Database user credentials to connect to the configured database.

Step 3 Click Connect to complete the resource creation process using the selected database.


Creating Resources with Expression

The PAP provides the functionality of creating a resource hierarchy under a particular application using an expression.

To create resources from external sources, follow these steps:


Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.

Step 2 Select the application under which you want to create resource hierarchy using an expression.

Step 3 Click the Create Resources with Expression icon.

Figure 4-62 Create Resource with Expression

Step 4 Enter the resource expression as explained here.

Figure 4-63 Resource Expression

Resource Expression—Enter the resource names, each separated by a dot (.).

Example: Res1.Res2.Res3

The resource hierarchy that is created under the selected application will look as shown in Resource Hiearchy.

Figure 4-64 Resource Hiearchy

Resource Type—Select the appropriate resource type.

Apply Resource Type—Select either All or Leaf. If All is selected, then all the resources created will have the same resource type value as selected in the resource type list. If Leaf is selected, then the only the leaf resource will have the resource type that is selected in the resource type list and the rest of the resources created will have the resource type of Global:UNTYPE.

Step 5 Click Save. The resource hierarchy is created under the selected application.


Assigning Users to a Resource

After creating a resource, you can assign users to it.

To assign users to a resource, follow these steps:


Step 1 On the Create/Update Resources page, click the Assign Users tab. The Assign Users page is displayed.

Figure 4-65 Assigning Users to Resource

Step 2 Assign a context for the user-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed. Select the appropriate context from the list to apply the context to the user-resource association.

The Assign Users page contains three list boxes placed side-by-side. The Users list box contains the users that are not assigned to the resource. On the right side, the Allowed Users and Denied Users list boxes contain the users that are assigned to the resource, with either the Allowed permission or the Denied permission.

Step 3 To assign a user to the resource with Allowed permission, select that user in the Users list box and click the Assign Allowed Users icon. The selected user is moved from the Users list to the Allowed Users list.

Step 4 To assign a user to the resource with Denied permission, select that user in the Users list box and click the Assign Denied Users icon. The selected user is moved from the Users list to the Denied Users list.

Step 5 To unassign the assigned users in the Allowed Users or Denied Users list box, click the user name and click the Unassign icon. The selected user is unassigned and it is moved from the Allowed Users or Denied Users list to the Users list.

Step 6 For the user-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.

All this can be achieved by selecting the assigned user and clicking the appropriate icon near the actions label as explained here:

a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy, page 5-11.

b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm, page 5-4.

c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation, page 5-5.

d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes, page 5-8.

e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations, page 5-6.

Step 7 Click Save or Done to complete the user-resource association.


Assigning Groups to a Resource

After creating a resource, you can assign groups to it.

To assign groups to a resources, follow these steps:


Step 1 On the Create/Update Resources page, click the Assign Groups tab.

The Assign Groups page is displayed.

Figure 4-66 Create or Update Resource

Step 2 Assign a context for the group-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed. Select the appropriate context from the list to apply the context to the group-resource association.

The Assign Groups page contains three list boxes side-by-side. The Groups list box contains the groups that are not assigned to the resource. On the right side, the Allowed Groups and Denied Groups list boxes contain the groups that are assigned to the resource, with either the Allowed permission or the Denied permission.

Step 3 To assign a group to the resource with Allowed permission, select that group in the Groups list box and click the Assign Allowed Groups icon. The selected group is moved from the Groups list to the Allowed Groups list.

Step 4 To assign a group to the resource with Denied permission, select that group in the Groups list box and click the Assign Denied Groups icon. The selected group is moved from the Groups list to the Denied Groups list.

Step 5 To unassign the assigned groups in the Allowed Groups or Denied Groups list box, click the group name and click the Unassign icon. The selected group is unassigned and it is moved from the Allowed Groups or Denied Groups list to the Groups list.

Step 6 For the group-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.

All this can be achieved by selecting the assigned group and clicking the appropriate icon near the actions label as explained here:

a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy, page 5-11.

b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm, page 5-4.

c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation, page 5-5.

d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes, page 5-8.

e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations, page 5-6.

Step 7 Click Save or Done to complete the group-resource association.


Assigning Roles to a Resource

After creating a resource, you can assign roles to it.

To assign roles to a resource, follow these steps:


Step 1 On the Create/Update Resources page, click the Assign Roles tab.

The Assign Roles page is displayed.

Figure 4-67 Assigning Resource to Roles

Step 2 Assign a context for the role-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed. Select the appropriate context from the list to apply the context to the role-resource association.

The Assign Roles page contains three list boxes side-by-side. The Roles list box contains the roles that are not assigned to the resource. On the right side, the Allowed Roles and Denied Roles list boxes contain the roles that are assigned to the resource, with either the Allowed permission or the Denied permission.

Step 3 To assign a role to the resource with Allowed permission, select that role in the Roles list box and click the Assign Allowed Roles icon. The selected role is moved from the Roles list to the Allowed Roles list.

Step 4 To assign a role to the resource with Denied permission, select that role in the Roles list box and click the Assign Denied Roles icon. The selected role is moved from the Roles list to the Denied Roles list.

Step 5 To unassign the assigned roles in the Allowed Roles or Denied Roles list box, click the role name and click the Unassign icon. The selected role is unassigned and it is moved from the Allowed Roles or Denied Roles list to the Roles list.

Step 6 For the role-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.

All this can be achieved by selecting the assigned role and clicking the appropriate icon near the actions label as explained here:

a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy, page 5-11.

b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm, page 5-4.

c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation, page 5-5.

d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes, page 5-8.

e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations, page 5-6.

Step 7 Click Save or Done to complete the role-resource association.


Deleting a Resource

The Resource Management page (Manage Entities > Resources) allows you to delete resources that are already created under Global, application resource, application, or resource. Click the delete icon near the resource name to delete that resource from the PAP.

Copying a Resource

Using Copy Resources functionality, you can create a copy of an existing resource and place it as a child resource of any other resource inside the same application. The attributes and properties of the copied resource are identical to the original resource, the copied resource inherits the resource hierarchy and actions of the parent resource. The Copy Resource operation does not copy the policies defined on the original resource.

To create a copy of an existing resource in the Resource Management page, follow these steps:


Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.

Step 2 Select an appropriate application, application group or Global under which the resource to be copied exists.

A list of all the resources in the above selected application group, application, resource or Global is displayed. You can search for the resource that you want to copy.

Step 3 In the List Resources section, double-click the Copy Resource icon near the resource name whose copy you want to create. A blue image containing the name of the selected resource is displayed near the cursor.

Step 4 Click the resource under which you want to create the copy of the earlier selected resource. The copy of the earlier selected resource is now created under this resource.


Importing Resources

You can import resources from an XML file into a particular application in the PAP.

To import the resources in the PAP, follow these steps:


Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.

Step 2 Select an appropriate application under which you want to import the resources.

Step 3 In the List Resources section, click the Import icon beside the application under which you want to import the resources.

A dialog box for importing the resources information from XML file is displayed.

Figure 4-68 Import Resource

Step 4 Browse for the XML file, select it, and click Save. The resources are imported into the PAP under the selected application.


Exporting Resources

You can export resources from a particular application group/application in PAP to an XML file.

To export the resources from PAP, follow these steps:


Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.

Step 2 Select an appropriate application or application group from which you want to export the resources.

Step 3 In the List Resources section, click the Export icon which is beside the application or application group from which you want to export the resources.

A dialog box for opening/saving the resources information in XML format is displayed.

Step 4 Click Save to save the Resources.xml file to the appropriate location.


Creating, Updating, or Deleting a Resource Type

The PAP provides the functionality of classifying resources by creating resource types under an application, application group, or Global. Creating a resource type is optional, because the PAP provides two default resource types, UNTYPE and ACTION, at the Global level.

A resource type can have actions and attributes. Actions are the tasks in your business policy that can be executed on a resource. For example, the WebLogic Portlet resource can have actions such as, Maximized, Minimized, Delete, Edit, and View. Attributes contain the information about the characteristics of the resource. For example, filetype can be a resource attribute that can be used to define an html, image, or pdf file type.

To create/update/delete a resource type, follow these steps:


Step 1 Choose Manage Entities > Advanced > Entity Types > Resource Types.

The Resource Types page is displayed.

Figure 4-69 Resource Type Page

Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update/delete a resource type.

The page displays a list of existing resource types for the selected application, application group, or Global.

Step 3 To create a resource type, click Add. To update an existing resource type, check the check box near the resource type and click the Edit icon. To delete an existing resource type, check the check box near the resource type and click the Delete icon.

If you click the Add or the Edit icon, the Create/Update Resource Types page is displayed.

Figure 4-70 Create or Update Resource Type

You can enter the following information in this page for creating the resource type:

Resource Type Name—Name of the resource type.


Note The resource type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-), and underscore(_).


Description—Description of the resource type.

Select—Select Actions to create the actions for this resource type. Select Attributes to create the attributes for this resource type. Creating actions and attributes for a resource type is optional. You can also create actions and attributes for a resource type by clicking the Add More button to add an Action or an attribute to the resource type.

Each resource type of Action contains the following information.

Action Name—Name of the action

Each resource type of Attribute contains the following information.

Attribute Name—Name of the attribute

Attribute Type—Data type of the attribute, such as, String, Int, Enum, Float, and Password.

Value Type—Select Single if you want the attribute to return a single value. Select Multiple if you want the attribute to return multiple values.

Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an resource. To this effect, the Attribute value field for the corresponding attribute in the Create Resource page will be shown as a mandatory field.

Step 4 Click Save to save the resource type information in the PAP.


Application Attributes

The Manage Entities section allows you to add, update, delete, and view the application attributes to the already created application attribute sources. Refer to Application Attribute Source, page 7-35 for more information.

Prehook Handlers

In CEPM, when a policy event triggers, an interface plugs that event in a hook for handling thatevent. This is called prehook handler and programmatically this interface is called IHandler.

When any event takes place within the PAP, the handler instantiates an object to that effect. If the handler throws an exception, the triggered event will not occur in the PAP console.

The prehook handler is application-specific, that is, the handler can be invoked for all or few selected application(s) configured with a handler. You must update the <handlers> tag of the pap_config.xml file to this effect. This limits the calling of the handler only in case of events triggered in the specified applications. The <handler> tag takes an attribute as application that can be set to * (for all applications) or a single application name or multiple application names separated by comma.

Here is the sample <handler> tag in pap_config.xml.

<handlers>
        <common-properties>
            <sessionuser>superuser</sessionuser>
            <sessionpassword>admin</sessionpassword>
        </common-properties>
			<handler name="UserHandler" enabled="true" type="*.*" application="Prime 
group:Prime portal">
            <impl>com.cisco.epm.util.handler.UserHandler</impl>
            <properties>
                <prop1>value</prop1>
                <prop2>value</prop2>
            </properties>
        </handler>
    </handlers>

The prehook handler supports consolidated event notification. In case of selecting multiple objects in the console, for instance, the user-role mapping where multiple users are selected and mapped to a specified role, the handler consolidates the multiple mappings as a single event and wraps all corresponding objects into an array-list object and returns as a single object.

Similarly, the handler also works for the following operations:

1. User-based entitlement

2. Assign resources

3. Role-based entitlement

4. Group-based entitlement

5. Group role mapping

6. Group role assignment

7. User role mapping

8. User group mapping

9. User role assignment

10. Bulk user deletion

Here is a sample code for IHandler:

com.cisco.epm.admin.sdk.IHandler; 
public interface IHandler 
{
	void init(Properties props);
	void handle(Object obj, ActionEvent event)throws HandlerException
	void rollback(Object obj, ActionEvent event);   
	void destroy();
}

The IHandler defines the life cycle methods for the hook as explained below:

1. The init() method is called by the framework during startup, to pass in all the properties that can be configured in the configuration file. These properties can be any arbitrary name-value pairs.

For example, you wants to write the policy details to database, when these events are taking place, you can give the database properties here as:

<username>cepmtest</username>
<password encrypted="false'>test123</password>
<url>jdbc:oracle:thin:@localhost:1521:devbdb</url>
<driver>oracle.jdbc.driver.OracleDriver</driver>

The database can be initialized in the init method of the handlerImpl class.

2. The handle(Object obj,ActionEvent event) method is called with every event configured in the pap_config.xml file. Event Table describes the events that are configured in the pap_config.xml file:

Table 4-1 Event Table

Type
Policy Mapping

ResourceRoleMapping

Resource-based

RoleResourceMapping

Role-based

UserResourceMapping

User-based

GroupResourceMapping

Group-based

UserRoleMapping

User role mapping

UserHandler

User creation, update, delete

RoleHandler

Role creation, update, delete

GroupHandler

Group creation, update, delete

GroupRoleMapping

Mapping of a group to role

UserGroupMapping

Mapping a user to group

*.*

All mapping to true


The object holds the value object with required values from the action taking place. When you create a user-/role-/group-based policy on an application using the createPolicy method, you get the policy object. But when such a policy is created on one or more resources (entity to resource mapping) using mapUser/mapGroup/mapRole method, you will get the corresponding entity object. For example, if a user is mapped to multiple resources, you will get the user object, which contains an array of resources.


Note Custom Handlers—You can customize any handler name by modifying the <handlers> tag of pap_config.xml as well as the corresponding handlername in the apiconfiguration.xml file. Make sure that the custom handler name must match in both of these files failing which may throw errors or exceptions. For example, if you want to change the 'UserResourceMapping' handler to 'User Policy Handler', you must modify these files in the following manner:

In pap_config.xml file change the handler tag-

<handler name="UserResourceMapping" enabled="true" type="*.*" application="Prime 
group:Prime portal">

to

<handler name="UserPolicyMapping" enabled="true" type="*.*" application="Prime 
group:Prime portal">

The corresponding API tag in apiconfiguration.xml file is as follows:

<api name="MappingImpl:mapUserToResources" prehook-rollback="false" 
posthook-rollback="false">
<handlerName>UserResourceMapping</handlerName>
<actionEvent>
<action>Map</action>
<actionType>MapUserToResources</actionType>
<actionSource>com.cisco.epm.pap.api.vo.User</actionSource>
</actionEvent>
</api> 

Change the <HandlerName> tag:

<handlerName>UserResourceMapping</handlerName>

to

<handlerName>UserPolicyMapping</handlerName>

3. The rollBack(Object obj,ActionEvent event) method is a call back method that is called by the framework when the handle method fails to persist the data in the product's database.

4. The destroy() method gets invoked at the time of server shutdown. The lifecycle of a handler ends with invoking the destroy() method, which is called by the framework when the PAP is shut down. This allows the handler to clean up the resources it is currently using.

Sequence of Handlerimpl Execution

When the handlerimpl class calls a handler method to perform a task and the handle method fails to execute, it will not perform the framework task and throws a HandlerException.

If the handler method is performed successfully, but the framework event is failed, this will rollback the event performed by the handlerimpl's handle method.

Import/Export

CEPM now supports selective import/export of any data to/from the entitlement repository. You can import/export a single or multiple entities to/from a particular application, application group or Global level.

Import Entities:

To import the entities, follow these steps:


Step 1 From the Select Application drop-down, select the required application group, application or Global into which you want to import entities. It is important to note that, selecting Global will allow you to import entities which were exported under Global level only.Similarly, if you select an application group, you can import entities which are exported from other application group and not from any application.

Step 2 Select one or more entities from the Entities list.

Step 3 Browse for the individual entitiy.xml (for example, Users.xml) or Entities.zip or XacmlPolicies.zip file to be imported.

Step 4 Select any of the following options available under Import button:

Import Selected Entities—allows you to import the selected entities into the selected application group/application.

Import All—allows you to import all the entities into the selected application/application group irrespective of the level from where the entities are exported. For example, if you select Import All option for an application and try to import entities which were exported from an application group, the entire entities will get imported under the selected application.

Import Policies—allows you to import the policies belonging to the application/application group.

This will import the required entities into the selected application.

Export Entities:

To export entities, follow these steps:


Step 1 From the Select Application drop-down, select the required application group, application or Global from which you want to export entities. It is important to note that, selecting Global will allow you to export entities which are created under Global level only. Likewise, if you select an application group, you can export entities which are created under the application group and under Global level. Again, if an application is selected, only the entities created under all levels (Global, Application group and Application) get exported.

Step 2 Select the one or more entities from the Entities list.

Step 3 Select any of the following options available under Export button:

Export Selected Entities—allows you to export the selected entities from the selected application. If you select a single entity from the list, the data will be exported in a xml file. For example, if you select User from the entities list, Users.xml file will be exported. But if you select User, Role and Group, the entities get exported in a zip file i.e. Entities.zip.

Export All—allows you to export all the entities belonging to the selected application group/application. If you select an application group, you can export entities which are created under the application group including the applications. If you select Global, only Global level data will be exported.

Export Policies—allows you to export the policies belonging to the application group/application. If you select Application group, the policies created under the applications constituting the group will be exported.


Note You cannot export policies for an individual entity. When you click this option, all the policies irresective of the entities will get exported.


Step 4 Browse the appropriate target location to save the exported file.

This will create an xml for a single entity (for example, Users.xml), Entities.zip for multiple entities or XacmlPolicies.zip for policies in the targeted location.