Table Of Contents
Manage Entities
User Management
Listing or Searching for Users
Creating or Updating a User
Assigning Groups to User
Assigning Roles to a User
Assigning Resources to a User
Assigning Multiple Users to a Role
Assigning Multiple Users to a Group
Deleting a User
Clone User
Copy Entitlements
Viewing Entitlements
Defining Entitlements
Viewing Role and Group Memberships of a User
Importing Users
Importing Users from an XML File
Import Users from an LDAP
Exporting Users
Exporting Users to an MS Excel File
Export Users to an XML File
User Types
Creating a User Type
Group Management
Listing or Searching for Groups
Creating or Updating Groups
Assigning Users to a Group
Assigning Roles to a Group
Assign Resources to a Group
Assigning Multiple Users to a Group
Assigning Multiple Groups to a Role
Deleting a Group
Importing Groups
Creating, Updating, or Deleting Group Types
Role Management
Listing or Searching for Roles
Creating or Updating a Role
Reference Role/Group
Dynamic Role/Group
Assigning Users to a Role
Assigning Groups to a Role
Assigning Resources to a Role
Assigning Multiple Users to a Role
Assigning Multiple Groups to a Role
Deleting a Role
Importing Roles
Exporting Roles
Role Types
Configuring SoD Roles
Configuring DSoD Roles
Role Bundles
Resource Management
Listing or Searching for Resources
Creating or Updating a Resource
Creating Resources from External Sources
Creating Resources from WSDL Source
Creating Resources from Database Source
Creating Resources with Expression
Assigning Users to a Resource
Assigning Groups to a Resource
Assigning Roles to a Resource
Deleting a Resource
Copying a Resource
Importing Resources
Exporting Resources
Creating, Updating, or Deleting a Resource Type
Resource Group
Adhoc Resource Group
Rule Based Resource Group
Creating a Resource Group
Creating an Adhoc Resource Group
Creating a Rule Based Resource Group
Viewing Resource Group
Updating a Resource Group
Deleting a Resource Group
Policy Creation on Resource Group
Application Attributes
Prehook Handlers
Import/Export
Import Entities
Export Entities
Manage Entities
This chapter explains the various operations that you can perform on the Manage Entities tab in the PAP administration console. This chapter has the following sections:
•
User Management—Create, update, delete, import, export, and clone users. Copy entitlements, define entitlements, and view entitlements for users. Assign roles, groups, and resources to users. Create user types. Add users to roles and add users to groups.
•Group Management—Create, update, delete, and import groups. Assign users, roles, and resources to groups. Create group types. Add users to groups and add groups to roles.
•Role Management—Create, update, delete, import, and export roles. Configure SoD roles and DSoD roles. Assign users, groups, and resources to roles. Create role types. Add users to roles and add groups to roles. Configure role bundles.
•Resource Management—Create, update, delete, import, export, and copy resources and resource groups. Create resources from expression and create resources from external sources. Create resource types. Assign users, groups, and roles to resources (which creates policies for users, groups, and roles). Edit policy, configure Policy Combining Algorithm and obligations, add attributes to return, add policy attributes, and configure rules for policies.
•Application Attributes—Add attributes to the existing application attribute sources (PIPs).
•Import/Export—Import / Export any or multiple entities on a particular application, application group, or Global in the PAP.
Note The following notes which brief you about the expected behavior of the below-mentioned functionalities across the PAP console.
View Entities under various resource levels:
In CEPM, entities are displayed in the following pattern under different level of resources:
•If Global is selected, entities created under the Global level displayed.
•If Application Group is selected, entities created under the Global level and that application group (but not the applications) are displayed. This is applicable only when entities are listed in a table and not applicable when the entities are displayed in a tree structure.
•If Application is selected, entities created under the Global level, Application Group to which the selected application belongs, and that Application would be displayed.
For example, in Home > Manage Entities > Users page, if you select Global in `Select Application' dropdown, you can see the users created under the Global level only. Similarly, if you select any application group, the users created under that application group as well as Global users are displayed. But if you select an application, it displays Global users, users created under the application group to which this application belongs, and the users created under that application.
Pagination:
Pagination is supported widely across CEPM PAP UI while sorting out entities in a list or in a table. The list or tables are scaled out to accommodate limited number of entities giving way to the pagination feature.
•If entities are displayed in a table from the list user/group/role page, search user/group/role page, etc., paginating lists are automatically generated when the number of entities exceed 50. For example, in Home > Manage Entities > Users page, while searching for a user with the specific search key, if the number of users exceed 50, only the first 50 users are displayed in the List Users page. You can checkout for remaining users by using the pagination features such as First, Prev, Next, and Last buttons.
•If the Assign entities are displayed in a table, such as Assign Users, Assign Groups, etc.), the tables will contain the first 500 entities. If the number of entities exceed 500, you must make use of the Search functionality to find out a user who is not within the first 500 users. For example, in Home > Manage Entities > Roles > Assign Users to a Role page, if the number of users exceeds 500, only the first 500 users are displayed in the Users table. To get the 501st user, make use of the Search functionality provided in this page.
•If the entities are displayed in a tree structure (as in case of resource hierarchy), pagination is automatically done if the number of entities exceed 100.
User Management
A user is an employee or external customer or partner of the enterprise who makes a request to access a resource in the software application that needs to be protected. You can assign users to groups as well as roles. Users can be associated with certain characteristics or attributes that contain information about the users.
User management functionality allows you to carry out the following functions related to the management of application users:
•List or search for users
•Create or edit a user
•Delete user
•Clone user
•Copy entitlements
•View entitlements
•Define entitlements
•View roles and groups to which the user belongs
•Import users
•Export users
•Create user types
Listing or Searching for Users
This page holds the complete list of users present under the selected resource level. To view a list of users or search for a user in a particular application, application group, or Global, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 From the Select Application drop-down list, select the appropriate application, application group, or Global. This page holds the complete list of users depending upon the selected resource level in the following pattern:
•Global—If Global is selected, only the Global users (created under the global level) are displayed.
•Application Group—If an application group is selected, the list displays all the global users and the users created under the selected application group.
•Application—If an application is selected, the list displays all the global users, the users created under the application group to which the selected application belongs, and also the users created under that application.
Figure 4-1 User Home page
Step 3 Search for a particular user in the Search section.
Figure 4-2 Search Section
This section allows you to search for specific users depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria to search for users:
•Search for User by Name
•Search for User by First Name
•Search for User by Last Name
•Search for User by E-mail Id
•Default
•<Other available User Types>
Select any user type as the Search key to get all users created using that user type. For example, if you select Default, the result includes users of `Global:Default' user type only. You can further refine the result through search by using the keywords as shown below:
Enter the value to be searched in the Search text box. You can also use the asterisk wild card character (*) as part of the search value.
For example, to get the list of all the users having 'M' as the first character in their first name, select the search criteria of Search for User by First Name and enter a search value of M*, and click Search. The list of users matching the search criteria and search value is displayed in the List Users section. The following is a sample search result.
Figure 4-3 Search Result
If the search result contains more than 50 users, the list of users span more than one page. In that case, the list shows multiple page numbers in a sequence starting from 1 onwards (1 2 3 ...). You can navigate to a particular page by clicking the page number.
Step 4 Click Clear to clear the value entered in the search value field.
You can click the following icons in the List Users page to perform the operations described here:
|
Click this button to create a new user in PAP. For more information, refer to Creating or Updating a User.
|
|
Click this button to import users into PAP either from an XML file or from an LDAP. For more information, refer to Importing Users.
|
|
Click this icon to export information about the users that are in PAP to an MS Excel file or to an XML file. For more information, refer to Exporting Users.
|
|
Click this icon to view the role/group memberships of that user. Before you click this icon, check the check box beside the user name whose role and group memberships you want to view. For more information, refer to Viewing Role and Group Memberships of a User.
|
[User name]
|
Click the user name to edit the information of that user. For more information, refer to Creating or Updating a User.
|
|
Click this icon to delete one or more users from PAP. Before you click this icon, select the check box beside the user names that you want to delete. For more information, refer to Deleting a User.
|
|
Click this icon to create a clone of an existing user. Before you click this icon, select the check box beside the user name whose clone you want to create. The cloned user inherits the role membership, group membership, and entitlements of the parent user. For more information, refer to Clone User.
|
|
Click this icon to copy entitlements of one resource to another. Before you click this icon, select the check box beside the user name whose entitlements you want to copy. For more information, refer to Copy Entitlements.
|
|
Click this icon to view the entitlements of a particular user. Before you click this icon, select the check box beside the user name whose entitlements you want to view. For more information, refer to Viewing Entitlements.
|
|
Click this icon to define entitlements for a particular user. Before you click this icon, select the check box beside the user name for whom you want to define the entitlements. For more information, refer to Defining Entitlements.
|
Creating or Updating a User
To create or update a user in a particular application, application group, or Global, follow these steps:
Figure 4-4 Create or Update User
Step 1 Enter the following information in this page for creating or updating user:
•User Name—Unique name for the user.
Note The user names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), forward slash(/), asterisk(*), hypen(-), underscore(_), and at sign(@).
•First Name—First name of the user.
•Last Name—Last name of the user.
•E-mail ID—E-mail ID of the user.
•User Status—Set it to Active. If set to Inactive, this user is not allowed to access any of the resources.
•User Type—Select an appropriate user type for this user. By default, the value selected for the User Type is Global:Default. You can create a new user type by clicking Create New User Type. Click View Attributes to view the attributes associated with the user type. This lists out the attributes of the selected user type for evaluation purpose.
Note In CEPM, the single quote (') character cannot be used in an attribute value. This is applicable to all the six entity types such as, user type, group type, role type, resource type, application type, and application group type.
Step 2 Click Save to save the above information in PAP.
Step 3 To assign this user to any role, group, or resource on this page, click Next or click the appropriate tab i.e. Assign Roles, Assign Groups, or Assign Resources, to assign this user to the appropriate roles, groups, or resources.
Step 4 Click Done after you have created or updated the user information and assigned it to appropriate roles, groups, or resources.
Note Assigning the new user to roles, groups, and resources is not mandatory on this page. This operation can also be carried out later using either of the methods described below, after the user is successfully created in the PAP:
•In the User Management page (Manage Entities > Users), select the user name, for which you want to assign roles, groups, or resources. The Create/Update User page is displayed. On this page, you can click the appropriate tab, Assign Roles, Assign Groups, or Assign Resources, to assign the selected user to the appropriate roles, groups, or resources. You can also click Next to navigate through these tabs one by one.
•You can click the links, Add Users to Roles and Add Users to Groups in the Manage Entities > Advanced > Entity Assignments section to add the user to appropriate roles and groups respectively.
Assigning Groups to User
After creating a user, you can assign groups to it.
To assign groups to a user, follow these steps:
Step 1 Go to the Create or Update Users page.
Step 2 Click the Assign Groups tab.
The Assign Groups page is displayed.
Figure 4-5 Assign Groups to Users
Step 3 If a large number of groups are under the selected application, you can search for a particular group using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a group, enter the full name (not the fully qualified name) or first few characters of the group name, select the Search group from the drop-down list, and click Search. All the Groups that match the search criteria are displayed.
Step 4 Assign a context for the user-group association that you are going to create by clicking the Context icon that is next to the context label. A list of contexts is displayed.
Step 5 Select the appropriate context from the list to apply the context to the user-group association.
The Assign Group page contains two list boxes. The Groups list box contains the groups that are not assigned to the user. The Assigned Groups list box contains the groups that are assigned to the user.
Step 6 To assign a group to the user, select that group in the Groups list box and click the Assign icon. The selected group is moved from the Groups list to the Assigned Groups list.
Step 7 To unassign any assigned groups in the Assigned Groups list box, click the group name and click the Unassign icon. The selected group is unassigned and it is moved from the Assigned Groups list to the Groups list.
Step 8 To set the user attribute and group attribute values to this user-group association, select the assigned group and click the Set Scoped Attribute Values icon next to the Actions label.
Step 9 Click Save to complete the user-group association.
Assigning Roles to a User
After creating a user, you can assign roles to the user.
To assign roles to a user, follow these steps:
Step 1 Go to Create or Update Users page.
Step 2 Click the Assign Roles tab.
The Assign Roles page is displayed.
Figure 4-6 Assign Roles to Users
Step 3 If a large number of roles are under the selected application, you can search for a particular role or roles using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a role, select the Search Role from the drop-down list, enter the full name (not the fully qualified name) or first few characters of the role name, and click Search. All the roles that match the search criteria are displayed.
Step 4 Select the appropriate role bundle from the Role Bundle list.
Step 5 Assign a context for the user-role association that you are going to create by clicking the Context icon that is near the context label. A list of contexts is displayed.
Step 6 Select the appropriate context from the list to apply the context to the user-role association.
The Assign Role page contains two list boxes. The Roles list box contains the roles that are not assigned to the user. The Assigned Roles list box contains the roles that are assigned to the user.
Step 7 To assign a role to the user, select that role in the Roles list box and click the Assign icon. The selected role is moved from the Roles list to the Assigned Roles list.
Step 8 To unassign the assigned roles in the Assigned Roles list box, click the role name and click the Unassign icon. The selected role is unassigned and it is moved from the Assigned Roles list to the Roles list.
Step 9 To set the user attribute and role attribute values to this user-role association, select the assigned role and click the Set Scoped Attribute Values icon near the actions label.
Step 10 Click Save to complete the user-role association.
Assigning Resources to a User
After creating a user, you can assign resources to the user.
To assign resources to a user, follow these steps:
Step 1 Go to Create or Update Users page.
Step 2 Click the Assign Resources tab.
The Assign Resources page is displayed.
Figure 4-7 Assign Resources to Users
Step 3 If a large number of resources are under the selected application, you can search for a particular resource or resources using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a resource, select the Search Resource from the drop-down list, enter the full name (not the fully qualified name), or first few characters of the resource name, and click Search. All the resources that match the search criteria are displayed.
Step 4 Assign a context for the user-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed.
Step 5 Select the appropriate context from the list to apply the context to the user-resource association.
The Assign Resources page contains three list boxes. The Resources list box contains the resources that are not assigned to the user. The Allowed Resources and Denied Resources list boxes contain the resources that are assigned to the user, with either the Allow or Deny permission.
Step 6 To assign a resource to the user with Allow permission, select that resource in the Resources list box and click the Assign Allowed Resources icon. The selected resource is moved from the Resources list to the Allowed Resources list.
Step 7 To assign a resource to the user with Deny permission, select that resource in the Resources list box and click the Assign Denied Resources icon. The selected resource is moved from the Resources list to the Denied Resources list.
Step 8 To unassign the assigned resources in the Allowed Resources or Denied Resources list box, click the resource name and click the Unassign icon. The selected resource is unassigned and it is moved from the Allowed Resources or Denied Resources list to the Resources list.
Step 9 For the user-resource association, you can also assign rules, configure Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.
To do this, select the assigned resource and click the appropriate icon near the actions label as explained here:
•Add rule—Click the Add rule icon. The pop-up page for adding the rules is displayed. For more information, refer to Add Rules to a Policy.
•Configure Policy Combining Algorithm—Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm.
•Add attributes to return—Click the Add attributes icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation.
•Add policy attributes—Click the Add Policy attribute icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes.
•Edit policy—Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations.
Step 10 Click Save to complete the user-resource association.
Assigning Multiple Users to a Role
You can assign multiple users to a role in the PAP.
To assign multiple users to a role, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Assignments > Add Users to Roles.
The Assign Users to Roles page is displayed.
Step 2 Select the application, application group, or Global under which the users are to be assigned to the existing roles.
Step 3 Select the appropriate role bundle from the Role Bundle drop-down list.
Step 4 Select the appropriate context by clicking the Context icon in the upper-right side of the page.
All the users and roles pertaining to the selected application, application group, or Global are displayed in the Users section and Roles section respectively.
Figure 4-8 Assigning multiple Users to a Role
Step 5 To search for a particular user or particular role, enter the appropriate search criteria and search value in the Search section for users and roles.
Step 6 In the Users list, select the check boxes for the users for whom the roles need to be assigned.
Step 7 In the Roles list, click the Map Users icon beside the role name to which you want to assign the selected users.
This completes the mapping of the selected users to the selected roles.
To export the information about the roles mapped to users to an MS Excel/XML file, click Export.
To import the information, click Import.
To view the users that are assigned to a role, click the List Users icon next to the role name. For example, in the List Users for Role, if you want to view the users mapped to Dynamic role, click the View Users button of that role.
Figure 4-9 List Users for Role
You can set the attributes for every user-role mapping by clicking the Attribute button for the user mapping from the pop-up window. The PDP returns the scoped attributes while giving decision for the specified user.
Scoped Attributes—The PDP considers the type attributes and NOT the scoped attribute while doing the rule evaluation.
For example a user Joe is of user type UT1 with attribute as ID with value `123' and Role Role1 is of role type RoleType1 with attribute as Val with value `8'. User Joe is mapped to Role1. When you click on the List Mapped Users for Role icon besides the role name, the List Users for Role page is displayed.
Figure 4-10 Scoped Attributes
Click the Set Attribute Values icon. The Set Attributes Values page is displayed
Figure 4-11 .Set Attribute Values
Enter the values for User Attributes (ID as 789) and Role Attributes (Val as 4). Click Save. The PDP considers the original entity type attributes (ID as 123 and Val as 8) not the scoped attribute while doing the rule evaluation.
For example, a role Role1 of type RoleType1 is mapped to a resource Res2. Click Set Rule(s) on Selected Policy icon. The Create/Update Role page is displayed.
Figure 4-12 Create or Update Role
Set the following values for the rule:
LHS=ROLE:RoleType1:Val
Operator=equalto
RHS=8. Click Set Rules.
In the PEP request, CEPM checks if the Value is equal to 8. If Yes, then provides access to the resource, Res2 to the requesting user, Joe. If No, then denies access to the resource, Res2 to the requesting user, Joe.
Note The Scoped Attributes do not participate in the rule evaluation.
Inclusive or Exclusive Assignment: When a dynamic role is assigned to a user, the assignment (User Role Status) can be set to inclusive or exclusive. This distinction is based upon the availability of the rule configured on the dynamic role. If set to inclusive, the rule on the role gets executed, and even if the rule is evaluated to false, the user is treated exceptionally and granted access to the resources. However, if you select exclusive, even though the rule on the role is satisfied, the user is excluded and hence denied access.
For example, the dynamic role NY Trader has a rule that says Location equals to New York and this role is assigned to Mary and Tom (see Inclusive or Exclusive Assignment). Mary is in New York whereas Tom is in Chicago. You also have an Allow:NY Trader policy on View Trades. When you click the Attribute button of Mary, the Set Attributes Values window is displayed.
Figure 4-13 Inclusive or Exclusive Assignment
If you set the user role status to inclusive, though Mary belongs to New York and satisfies the rule, Mary is granted access as she is marked exclusive. Tom, who does not satisfy the rule as Tom is in Chicago, is exceptionally granted access, as Tom is marked inclusive.
Assigning Multiple Users to a Group
You can assign multiple users to a group in PAP.
To assign multiple users to a group, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Assignments > Add Users to Groups.
The Assign Users to Groups page is displayed.
Step 2 Select the application, application group, or Global under which the users are to be assigned to the groups.
Step 3 Select the appropriate context by clicking the Context icon in the upper-right side of the page.
All the users and groups pertaining to the above selected application, application group, or Global are displayed in the Users section and Groups section respectively.
Figure 4-14 Assigning Multiple Users to Group
Step 4 To search for a particular user or for a particular group, enter the appropriate search criteria and search value in the Search section for users and groups.
Step 5 From the Users list, select the check boxes for the users for whom the groups need to be assigned.
Step 6 In the Groups list, click the Map Users icon beside the group name to which you want to assign the selected users.
You have mapped the users to the groups.
You can also view the users that are assigned to a group by clicking the List Users icon near the group name.
Deleting a User
The User Management page (Manage Entities > Users) allows you to delete application users from the PAP console based on the following conditions:
•A single user can be deleted by checking the check box next to the user name and then clicking either the Delete button or the Delete link.
•Multiple users can be deleted in the same way by checking the check boxes adjacent to each user and then clicking the Delete button or link.
•All the users on the List Users page can be deleted by clicking the Select All link and then clicking the Delete button or link.
•All the users under the selected application/application group/Global can be deleted by clicking the Delete All link.
•Click Clear All link to unselect all the check boxes that are next to all the user names.
Clone User
In CEPM, cloning refers to copy by value. A cloned user is identical to the parent user in all aspects except the name. All the attributes and properties of the parent user gets copied to the cloned user. For example, if User1 is cloned as User2, the latter inherits the membership of all the user group and roles to which the former belongs. In addition to this, User2 also inherits all the entitlements defined for User1. Editing the parent user automatically updates the cloned user.
To create a clone of an existing user in the User Management page, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 Select the appropriate application, application group, or Global under which the user to be cloned exists.
A list of all the users in the selected application, application group, or Global is displayed. You can search for the user who you want to clone.
Step 3 From the List Users section, select the user check box whose clone has to be created (parent user) and click the Clone User.
A page is displayed where you can search for the user who you want to make as a clone of the parent user.
Step 4 From the List Users section, check the checkbox for the user which you want to make as the clone of the parent user and click Continue.
The Clone confirmation page is displayed summarizing the users that are selected for the cloning process. It also provides you with an option to override existing roles. If you select yes for the Override Existing Roles, then the cloned user's existing role memberships are deleted and the parent user's role memberships are copied to the cloned user. If No is selected for the Override Existing Roles, then the cloned user retains the existing role memberships and also inherits the parent user's role memberships.
Figure 4-15
Clone User
Step 5 Click Finish to complete the cloning process or click Back to modify the users that are selected for the cloning process.
You can check whether the mappings and policies of the cloned user are matched with the parent user.
Copy Entitlements
In CEPM, there is a clear distinction between Cloned User and Copy Entitlement functionalities. As mentioned earlier, cloning is copy by value whereas copy entitlements is copy by reference. You can copy entitlements of one user to another user. All the policies of one user get copied to the other user. Unlike the Cloned User, after configuring the copy entitlements, the policies inherited by the copied user from its parent are not visible in the UI. The PDP will evaluate the access request by making reference to the access permissions of its parent user. For example, if User1 has an Allow policy on a resource "View Reports" and you copy entitlements of User1 to User2, you cannot view the policy for User2 on the said resource in the PAP UI. But in the runtime, if User2 sends an access request for "View Reports", the PDP checks whether any Copy Entitlements are configured on this user. If it is done, it will give permit decision for User2 with reference to the permissions granted for User1 on the requested resource.
To copy entitlements of one user to another user, follow these steps:
Step 1 Choose Manage Entities > Users.
The User Management page is displayed.
Step 2 Select an appropriate application, application group, or Global.
A list of all the users in the selected application, application group, or Global are displayed. You can search for the user whose entitlements you want to copy.
Step 3 From the List Users section, select the user check box whose entitlements need to be copied (parent user) and then click the Copy Entitlement icon.
The Copy User page is displayed where you can search for the user to whom you want to copy the entitlements from the parent user.
Figure 4-16 Copy Users
Step 4 From the List Users section, select check box for the appropriate user and then click Continue.
The Copy Confirmation page is displayed.
Figure 4-17 Copy Confirmation
The Copy Confirmation page contains the summary of the users that are selected for the copy entitlements operation. It also provides you with an option to set the time frame (From Date and To Date). If a particular time frame is provided, the copied entitlements are applicable for this specified time frame to the copied user.
Note If no value is entered for the time frame, the behavior of the PAP system is as if the copied entitlements are not applied to the copied user. As a result, the copied entitlements are considered to be invalid.
You can also model the recurrence relationship for these settings in order to avail the same entitlements to the selected user (to whom you have delegated the user entitlements) on every recurrence period.
Note The recurrence period is in effect unless and until anything contrary to it is defined. You can also disable recurrence by selecting Clear Recurrence from the list.
The following recurrence period can be defined for this purpose:
•Daily—This enables the recurrence of the copied entitlements on a daily basis. Either you can assign the user entitlements to the copied user on every day or only for the weekends by selecting the corresponding option (as shown in Recurrence-Daily).
Figure 4-18 Recurrence-Daily
•Weekly—If the From Time and To Time falls within the same week and Weekly is selected, the copy entitlement is in effect on a weekly basis on the defined recurrence time period.
Figure 4-19 Recurrence-Weekly
You can select multiple days of a week on which the copied user can utilize the user entitlements.
•Monthly—You can set the recurrence of the copy entitlement on monthly basis as follows:
Figure 4-20 Recurrence-Monthly
You get two options for this purpose:
–One particular day of the month, you can set the monthly recurrence period to a particular day of every month. To do this you must select the first option (as shown in Recurrence-Yearly) and enter a number (between 1 to 31) and all the user entitlements are available for the copied user on the specified day of every month.
–Using the second option, you can select first or second or third or fourth or last day (Monday to Sunday) of the month for recurrence of the copied entitlements.
•Yearly—You can set the recurrence of the copy entitlement on a yearly basis.
Figure 4-21 Recurrence-Yearly
It is similar to the monthly recurrence period with an additional option of selecting the month so that the copied entitlements are in force on the specified days of every month.
Note If you do not specify the Time Range and set the Recurrence to any of the available options (that is Daily/Weekly/Monthly/Yearly), CEPM executes the policy and give decisions on the set recurrence only. For Example a policy Allow:Test with recurrence set to Daily > Every weekend, the policy when executed every weekend will give the decision as Allow. Executing that policy during the weekdays will result in Deny permission.
•Clear Recurrence—When you click this option and save the setting, the recurrence of copy entitlement is terminated.
Step 5 Click Save to complete the copy entitlements process or click Back to modify the users that are selected for the copy entitlements operation.
Viewing Entitlements
You can view the list of entitlements for a particular user in the User Management page.
To view the list of entitlements for a particular user, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 Select the appropriate application, application group, or Global.
A list of all the users in the selected application, application group, or Global is displayed. You can search for the user whose entitlements you want to view.
Step 3 From the List Users section, check the User check box whose entitlements you want to view and then click the View Entitlements icon.
A page is displayed with the list of resources that the selected user is permitted to access. The list of resources are displayed in the form of a Global resource tree that lists all the resource names, some are red and some are green. The green resource indicates that the selected user is permitted to access that resource and the red resource indicates that the selected user does not have permission to access that resource.
Defining Entitlements
You can define the entitlements for a particular user in the User Management page.
To define the entitlements for a particular user, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 Select the appropriate application, application group, or Global.
A list of all the users in the selected application, application group, or Global is displayed. You can search for the user for whom you want to define the entitlements.
Step 3 From the List Users section, select the user check box for whom you want to define the entitlements and then click the Define Entitlements icon.
The Policy Management By User page is displayed. For more information, refer to Entitlement Management by Users.
Viewing Role and Group Memberships of a User
You can view the role and group memberships of a user in the User Management page.
To view the role and group memberships of a user, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 Select the appropriate application, application group, or Global.
A list of all the users in the selected application, application group, or Global is displayed. You can search for the user whose role and group memberships you want to view.
Step 3 In the List Users section, select the check box beside the user name whose role and group memberships you want to view and then click the Role/Group icon.
The List User Roles Groups page is displayed, which contains the role and group memberships of the selected user. The page also shows the list of users whose entitlements have been copied to this user.
Figure 4-22 List User Roles Group
Apart from the regular roles/groups, the role/group list contains the dynamic roles/groups assigned to the selected user only after the rule is evaluated the rule for the concerned dynamic group/role. The concerned dynamic group/role will be displayed in the list only if the rule configured on it is satisfied for the selected user. For example, if Mary is mapped to a dynamic role called Role 3, when you select Mary for viewing her roles and groups, the PAP sends a request to the respective PDP to evaluate the rule configured on Role 3. If the rule is satisfied for Mary, only Role 3 is displayed in the list. If not, the role is not displayed, even though Mary is mapped to Role 3.
Moreover, this list also contains the dynamic role/group on which the user relationship is established through the dynamic rule configured on it even though the user is not directly mapped to the dynamic role but is mapped to the parent static role of that dynamic role. For example, under a static role there is a dynamic role created with a rule which says - 'subject' 'equals to' 'John'. If John is mapped to the static role, while viewing the list of roles/groups for John, you can also find the dynamic role along with the static role in the list because the rule satisfies the user-role relationship between John and the dynamic role.
Importing Users
You can import users from an XML file or from an LDAP into a particular application, application group, or Global in the PAP. The XML files are generated by using the Export Users features, which is discussed in the next chapter. The Import entity is level-specific. Importing application group entities can be done in application group level only. Similarly you can import application entities within applications only. While importing users, you must ensure that the users imported are specific to the selected application level (application groups or applications). This means importing of users in the application group level must be done from the application group only. For example, you have two application groups (AppGrp1, AppGrp2) and two applications (App1 under AppGrp1 and App2 under AppGrp2). While using this feature, you can import users of AppGrp1 to AppGrp2 only and not to application level (App1 and App2). Similarly, applies to the application level as well. You can import users from App1 to App2, but not to AppGrp2.
To import the users, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 Select the appropriate application group or application under which you want to import the users. As mentioned above, if you select application group, you can import users only from other application group and not from the application level.
From the page shown in Import Users from XML or LDAP, you can import users from XML or from an LDAP/AD.
Figure 4-23 Import Users from XML or LDAP
Importing Users from an XML File
To import users from an XML file, follow these steps:
Step 1 On the User Management page, choose Import > From XML. A dialog box for importing the user information from XML file is displayed
Figure 4-24 Importing Users from an XML file
Step 2 Browse for the XML file, select the file and click Save. The users are imported into PAP.
Import Users from an LDAP
To import users from an LDAP, follow these steps:
Note Before importing users into PAP, the user attribute source needs to be created. Refer to Add User Attribute Source for more details about creating the user store.
Step 1 On the User Management page, choose Import > From LDAP. The Import user page is displayed.
Figure 4-25 Import Users from an LDAP
Step 2 In the Search Users field, enter the LDAP tree structure for user identification.
Step 3 In the Filter field, enter the value for filter parameters.
Tip Different tree structures and filter parameters prescribed for different types of LDAPs are provided here.
Sun One Server:
Search Users: ou=people,ou=external,dc=cepm,dc=in
Filter: (&(uid=p*)(mail=p*)) or uid=p*
Novell eDirectory Server:
Search Users: cn=people,o=cepm-net
Filter: cn=b*
Active Directory 2000 Server:
Search Users: ou=people,ou=users, dc=win2k-ad,dc=cepm,dc=net
Filter: cn=p* or sAMAccountName=* or sAMAccountName=v*
Do not specify the ( or ) or &.
In the Search Users text box, you can type in the base directory to search. For example, ou=people,ou=external,dc=cepm,dc=net. For a refined search, you can also specify the filter as uid=s* in the Filter text box.
Step 4 Select the user type (by default Global:Default is selected). Select the appropriate user-store.
Note In general, you can import users of a specific usertype from LDAP into CEPM. These users get imported without bearing any attribute value unless marked mandatory. If the users of usertype containing mandatory attributes are imported, the following attribute values are shown as the default values in the PAP console:
•For attributes of type String—A space character is shown as the attribute value.
•For attributes of type Int—The digit 0 (zero) is shown as the default attribute value.
•For attributes of type Enum (single or multiple)—First enum value is selected as the default value.
•For attributes of type Float—The digit 0 (zero) is shown as the first attribute value.
•For attribute of type Password—A space character is shown as the first attribute value.
Step 5 Click Search. All the users who match the Search and Filter criteria are displayed in the List Users section.
Step 6 Click Import > All to import all the displayed users into PAP. You can import specific users by selecting them in the List Users section and clicking Import > Import Selected.
Note For Active Directory (AD), the MaxPageSize parameter is set to 1000 by default. Thus, if the number of users exceed 1000, you may get an error while importing the users from AD. To resolve this, set the MaxPageSize parameter to a number depending upon your user count. For example, if the number of users existing in AD is 50000, edit the MaxPageSize parameter to 50000.
Exporting Users
You can export PAP users from a particular application, application group, or Global to an MS Excel file or to an XML file.
To export the users, follow these steps:
Step 1 Choose Manage Entities > Users. The User Management page is displayed.
Step 2 Select an appropriate application, application group, or Global from which you want to export the users.
The User Management page contains the Export button for exporting users.
From this page, you can import users to an XML file or to a MS Excel file.
Figure 4-26 Exporting Users
Exporting Users to an MS Excel File
To export users to an MS Excel file, follow these steps:
Step 1 On the User Management page, choose Export > To Excel. A dialog box for opening or saving the users information in MS Excel format is displayed.
Step 2 Click Save to save the Users.xls file to an appropriate location.
The Excel file contains the information similar to the following table.
Figure 4-27 Exporting Users to an Excel file
Export Users to an XML File
To export users to an XML file, follow these steps:
Step 1 On the User Management page, choose Export > To XML. A dialog box for opening/saving the user information in XML format is displayed.
Step 2 Click Save to save the Users.xml file to an appropriate location.
The XML file contains the following code:
<users timestamp="20/03/2009 15:51:12" version="CEPM-V3.3.2.0">
<userName>John</userName>
<parentFQN>Prime group</parentFQN>
<useremail>jsmit@xyz.net</useremail>
<firstName>John</firstName>
<lastName>Smith</lastName>
<userBelongsTo>db</userBelongsTo>
<userStoreDetails>USER BELONGS TO LOCAL DB</userStoreDetails>
<superuser>false</superuser>
<description>default</description>
<applicationName>Global</applicationName>
<userName>Mary</userName>
<parentFQN>Prime group:Prime portal</parentFQN>
<useremail>mwong@xyz.net</useremail>
<firstName>Mary</firstName>
<lastName>Wong</lastName>
<userBelongsTo>db</userBelongsTo>
<userStoreDetails>USER BELONGS TO LOCAL DB</userStoreDetails>
<superuser>false</superuser>
<description>default</description>
<applicationName>Global</applicationName>
User Types
You can classify users by creating user types under an application, application group, or Global. For example, if the application users may be located in various geographical regions, you can classify a new user on regional basis by creating a user type called Region. Creating a user type is optional as Default User type is already available in the application at the Global level. For this purpose, you can also use the attributes from the external attribute source such as DB PIP, LDAP PIP and so on.
Creating a User Type
To create or update a user type, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Types > User Types. The User Types page is displayed.
Figure 4-28 User Type Home page
Step 2 Select the appropriate application, application group or Global for which you want to create or update a user type.
Step 3 To create a new user type, click Add. To update an existing user type, select the check box beside that user type and click the Edit icon. The Create or Update User Types page is displayed.
Figure 4-29 Create or Update UserType
Step 4 Enter the following information in this page for creating or updating the user type:
•User Type Name—Name of the user type.
Note The user type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-) and underscore(_).
•Description—Description of the user type.
•Attributes—You can add multiple attributes to a user type by clicking the Add Attribute button.
Each user type attribute contains the following information.
–Attribute Name—Name of the attribute
–Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes types that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.
If you select a PIP attribute (such as DB PIP, LDAP PIP, and so on) while creating any entity types, which expects an input to be given, you must set the dollar values by clicking Set Query Details button. A pop up window appears which prompts you to evaluate the attribute values. Set the dollar values and click the Save button in the pop up window in order to create the entity type otherwise the entity type creation fails.
–Value Type—Select Single if you want the attribute to return a single value. Select Multiple if you want the attribute to return multiple values.
–Attribute View—Select Yes if you want to view that attribute in the users list in Manage Entities > Users page as a column. If you select No, that attribute is not displayed as columns in the users list.
–Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an user type. To this effect, the Attribute value field for the corresponding attribute in the Create User Type page will be shown as a mandatory field. For example, an User type called UT1 of attribute type String is created and the Mandatory field is set to Yes. While creating an user using this user type, you will find the UT1 field as mandatory.
Note Even if the input values are not required for PIPs, it is mandatory to click the Set and Save buttons in the popup.
Step 5 Click Save to save the user type information.
Group Management
The administration console simplifies the complex security administration by using user groups to organize access privileges. This operation is performed by using group hierarchies and constraints to configure a wide range of security policies. In the administration console, rights can be granted to an individual user as well as multiple users in a group to access the resources in the application.
Group management functionality allows you to carry out the following functions related to the management of user groups:
•List or search for groups
•Create or edit a group
•Delete groups
•Import groups
•Create group types
Listing or Searching for Groups
To view the list of groups or search for a group in a particular application, application group or Global, follow these steps:
Step 1 Choose Manage Entities > Groups. The Group Management page is displayed.
Figure 4-30 Group Home Page
Step 2 From the Select Application drop-down list, select an application, application group or Global.
A list of groups associated with the selected application, application group or Global is displayed in the List Groups section in the same page. You can click the expand link to view all the groups in the list.
Step 3 Search for a particular group in the Search section by group name.
Figure 4-31 Search section
This section allows you to search for specific group depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria for searching for the groups:
•Search for Group by Group Name
•Default
•Other available Group Types
Enter the value to search in the text box.You can also use the asterisk character (*) as a wild card character, as part of the search value.
Example: To get the list of all the groups having M as the first character in their name, enter search value as M*, and click Search. The list of groups matching the search criteria and search value is displayed in the List Groups section.
Click Clear to clear the value entered in the search value text box.
Note Based on the selection of the Application the search result will be displayed. For example if Global is selected in the application list, the groups belonging to that application (that is Global) will be displayed in the search result.
You can click the following icons in the List Groups page to perform the operations described here:
|
Click the Create Group button to create a new group under Global, application group, application, or group. For more information, refer to Creating or Updating Groups.
|
|
Click the Edit Group icon to edit the information of an existing group. For more information, refer to Creating or Updating Groups.
|
|
Click the Delete Group icon to delete a group. For more information, refer to Deleting a Group.
|
|
Click the Import Group icon to import groups into the selected application group or application from LDAPs, such as Sun One Server, Novell eDirectory Server, and Active Directory Server. For more information, refer to Importing Groups.
|
Creating or Updating Groups
To create/update a group in a particular application, application group, existing user group or Global follow these steps:
Step 1 Choose Manage Entities > Groups. The Group Management page is displayed.
Note The group names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), forward slash(/), asterisk(*), hypen(-), underscore(_) and at sign(@).
Step 2 From the Select Application drop-down list, select the appropriate application, application group or Global for which you want to create a group.
Step 3 In the List Groups section, click the Create Group icon beside the application, application group, existing user group or Global under which you want to create the group. To update existing group information, click the Edit Group icon beside the group name.
The Create/Update Group page is displayed.
Figure 4-32 Create or Update Group
Step 4 Enter the following information on this page for creating/updating the group:
•Group: Select either New Group or Reference (refer to Creating, Updating, or Deleting Group Types).
•Group Name: Name for the group.
•Description: Description for the group.
•Group Status: Select either Static or Dynamic. (For more information on Dynamic group, refer to Dynamic Role/Group.).
•Reference: This is enabled only if you create the group as a Reference group. Select the appropriate reference group from this list. (For more information on Reference Group, refer to Reference Role/Group.)
•Group Type: Select an appropriate group type for this group. Clicking View Attributes displays the attributes associated with the group type. By default, the value selected for the group type is Global:Default. You can create a new group type by clicking the Create New Group Type link beside this list box.
Note In CEPM, the single quote (') character cannot be used in an attribute value. For example, while creating a group of a selected group type, you cannot use single quote character while evaluating the group type attributes.
Step 5 Click Save to save the above information in the PAP.
Step 6 You can assign this group to users, roles and resources on this page. To do this assignment, click Next or click the appropriate tab i.e. Assign Roles, Assign Groups, or Assign Resources, to assign this group to appropriate roles, groups, or resources.
Step 7 Click Done after you have created the new group and assigned it to appropriate roles, groups or resources.
Note Assigning the new group to users, roles, and resources is not mandatory on this page. This operation can also be carried out later using either of the following methods, after the group is successfully created in the PAP.
a. In the Group Management page (Manage Entities > Groups), click the Edit icon that is beside the group name, for which you want to assign users, roles or resources. The Create/Update Group page is displayed. On this page, you can click the appropriate tab, Assign Users, Assign Roles or Assign Resources, to assign this group to appropriate users, roles or resources. You can also click Next to navigate through these tabs one by one.
b. You can click the links Add Groups to Roles and Add Users to Groups that are on the Manage Entities > Advanced > Entity Assignments page, to add the group to roles and to add users to groups.
Assigning Users to a Group
After creating a group, you can assign users to it.
To assign users to a group, follow these steps:
Step 1 On the Create/Update Groups page, click the Assign Users tab. The Assign Users page is displayed.
Figure 4-33 Assigning Users to Group
Step 2 If a large number of users are under the selected application, you can search for a particular user(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a user, enter the full name (not the fully qualified name) or first few characters of the user name, select the Search user from the drop-down list and click Search. All the users matching the search input are displayed.
Step 3 Assign a context for the user-group association that you are going to create by clicking the Context icon that is near the context label. A list of contexts is displayed.
Step 4 Select the appropriate context from the list to apply the context to the user-group association.
The Assign Users page contains two list boxes side-by-side. The Users list box contains the users that are not assigned to the group. The Assigned Users list box contains the users that are assigned to the group.
Step 5 To assign a user to the group, select that user in the Users list box and then click the Assign icon. The selected user is moved from the Users list to the Assigned Users list.
Step 6 To unassign the assigned users in the Assigned Users list box, click the user name and click the Unassign icon. The selected user is unassigned and it is moved from the Assigned Users list to the Users list.
Step 7 To set the group attribute and group attribute values to this user-group association select the assigned user and click the Set Attribute Values icon near the actions label.
Step 8 Click Save to complete the user-group association.
Assigning Roles to a Group
After creating a group, you can assign roles to it.
To assign roles to a group, follow these steps:
Step 1 On the Create/Update Groups page, click the Assign Roles tab. The Assign Roles page is displayed.
Figure 4-34 Assigning Roles to Group
Step 2 If a large number of roles are under the selected application, you can search for a particular role(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a role, enter the full name (not the fully qualified name) or first few characters of the role name, select the Search role from the drop-down list and click Search. All the roles matching the search input are displayed.
Step 3 Select the appropriate role bundle from the Role Bundle list.
Step 4 Assign a context for the group-role association that you are going to create by clicking the Context icon near the context label. A list of contexts is displayed.
Step 5 Select the appropriate context from the list to apply the context to the group-role association.
The Assign Role page contains two list boxes side-by-side. The Roles list box contains the roles that are not assigned to the group. The Assigned Roles list box contains the roles that are assigned to the group.
Step 6 To assign a role to the group, select that role in the Roles list box and click the Assign icon. The selected role is moved from the Roles list to the Assigned Roles list.
Step 7 To unassign the assigned roles in the Assigned Roles list box, click the role name and click the Unassign icon. The selected role is unassigned and it is moved from the Assigned Roles list to the Roles list.
Step 8 To set the group attribute and role attribute values to this group-role association, select the assigned role and click the Set Attribute Values icon near the actions label.
Step 9 Click Save to complete the group-role association.
Assign Resources to a Group
After creating a group, you can assign resources to it.
To assign resources to a group, follow these steps:
Step 1 On the Create/Update Groups page, click the Assign Resources tab. The Assign Resources page is displayed.
Figure 4-35 Assign Resources to Group
Step 2 If a large number of resources are under the selected application, you can search for a particular resource(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a resource, enter the full name (not the fully qualified name) or first few characters of the resource name, select the Search resource from the drop-down list and click Search. All the resources matching the search input are displayed.
Step 3 Assign a context for the group-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed.
Step 4 Select the appropriate context from the list to apply the context to the group-resource association.
The Assign Resources page contains three list boxes side-by-side. The Resources list box contains the resources that are not assigned to the group. The Allowed Resources and Denied Resources list boxes contain the resources that are assigned to the group, with either the Allowed permission or the Denied permission.
Step 5 To assign a resource to the group with Allowed permission, select that resource in the Resources list box and click the Assign Allowed Resources icon. The selected resource is moved from the Resources list to the Allowed Resources list.
Step 6 To assign a resource to the group with denied permission, select that resource in the Resources list box and click the Assign Denied Resources icon. The selected resource is moved from the Resources list to the Denied Resources list.
Step 7 To unassign the assigned resources in the Allowed Resources or Denied Resources list box, click the resource name and click the Unassign icon. The selected resource is unassigned and it is moved from the Allowed Resources or Denied Resources list to the Resources list.
Step 8 For the group-resource association you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.
All this can be achieved by selecting the assigned resource and clicking the appropriate icon near the actions label as explained here:
a. Add rule—Click the icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy.
b. Configure the Policy Combining Algorithm—Click the icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm.
c. Add attributes to return—Click the icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation.
d. Add policy attributes—Click the icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes.
e. Edit policy—Click the icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations.
Step 9 Click Save to complete the group-resource association.
Assigning Multiple Users to a Group
Refer to "Assigning Multiple Users to a Group" section.
Assigning Multiple Groups to a Role
You can assign multiple groups to a role in the PAP.
To assign multiple groups to a role, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Assignments > Add Groups to Roles. The Assign Groups to Roles page is displayed.
Step 2 Select the application, application group or Global under which the groups to be assigned to the roles exist.
Step 3 Select the appropriate role bundle from the Role Bundle list.
Step 4 Select the appropriate context by clicking the Context icon in the upper-right side of the page.
All the groups and roles pertaining to the selected application, application group or Global are displayed in the Groups section and Roles section respectively.
Figure 4-36 Assigning Multiple Groups to a Role
Step 5 Search for a particular group or for a particular role by entering the appropriate search criteria and search value in the Search section for groups and roles.
Step 6 From the Groups list, select the check boxes for the groups for whom the roles need to be assigned.
Step 7 In the Roles list, click the Map Groups icon beside the role name to which you want to assign the selected groups.
This completes the mapping of the selected groups to the selected roles. You can also view the groups that are assigned to a role by clicking the List Groups icon near that role name.
Note Under a selected application group, if you map a group to a role (both of which are created under an application), the mapped group will not be displayed. For example, if you select an application group called Prime group under which Prime portal is an application, and map a group (Prime group:Prime portal:Group1) to a role (Prime group:Prime portal:Role1), Group1 cannot be displayed when you click the List of group icon for Role1.
Deleting a Group
The Group Management page (Manage Entities > Groups) allows you to delete groups that are already created under Global, application group, application or group. Click the delete icon near the group name to delete that group from the PAP.
Importing Groups
The CEPM provides the functionality of importing groups into PAP from LDAPs, such as Sun One Server, Novell eDirectory Server, and Active Directory Server. The Import entity ability is level-specific. Groups Importing application group entities can be done in application group level only. Likewise you can import application entities under applications only.
While importing groups you must ensure that the groups imported are specific to the selected application level (application groups or applications). This means importing of groups in the application group level must be done from the application group only. For example, you have two application groups (AppGrp1, AppGrp2) and two applications (App1 under AppGrp1 and App2 under AppGrp2). While using this feature you can import groups of AppGrp1 to AppGrp2 only and not to application level (App1 and App2). Similarly, it is applied to application level, that is, you can import groups from App1 to App2 but not to AppGrp2.
Note Before importing groups into PAP, user attribute source needs to be created. For more information about creating the user store, refer to User Attribute Sources.
To import the groups in the PAP, follow these steps:
Step 1 Choose Manage Entities > Groups.
The Group Management page is displayed.
Step 2 Select the appropriate application or application group under which you want to import the groups.
Step 3 In the List Groups section, click the Import icon beside the application/application group under which you want to import the groups.
The Import Groups page is displayed.
Figure 4-37 Import Groups
Step 4 In the Search Groups field, enter the LDAP tree structure for group identification.
Step 5 In the Filter text box, enter the value for Filter parameters.
Tip Different tree structures and filter parameters prescribed for different types of LDAP servers are given here:
Sun One Server:
Search Groups: ou=people,ou=external,dc=cepm,dc=in
Filter: cn=p*
Novell eDirectory Server:
Search Groups: cn=people,o=cepm-net
Filter: cn=p*
Active Directory 2000 Server:
Search Groups: ou=people,ou=users, dc=win2k-ad,dc=cepm,dc=net
Filter: cn=p*
In the Search Group text box you can type in the base directory to search, for example, ou=people,ou=external,dc=cepm,dc=in. For a refined search you can also specify the filter as cn=p* in the Filter text box.
Step 6 Select the appropriate user-store.
Step 7 Select the group type. By default it is selected to Global:Default.
Note If a group of group type containing mandatory attributes are imported, the following attribute values are shown as the default values in the PAP console:
•For attributes of type String: A space character is shown as the attribute value.
•For attributes of type Int: 0 (Zero) is shown as the default attribute value.
•For attributes of type Enum (single or multiple): First enum value is shown as the default attribute value.
•For attributes of type Float: 0 (Zero) is shown as the first attribute value.
•For attribute of type Password: A space character is shown as the first attribute value.
Step 8 Click Search. All the groups matching the Search and Filter criteria are displayed in the List Groups section.
Step 9 Click Import. The groups displayed in the List Groups section are created in the PAP.
Creating, Updating, or Deleting Group Types
You can classify groups by creating group types under an application, an application group, or Global. For example, the application groups may be located in various geographical regions. You can classify a new group on regional basis by creating a group type including the region as an attribute. Creating a group type is optional because the Default group type is already in the application at the Global level.
To create, update or delete a group type, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Types > Group Types. The Group Types page is displayed.
Figure 4-38 Group Type page
Step 2 From the Select Application drop-down list, select an appropriate application, application group or Global for which you want to create a group type.
Step 3 To create a group type, click Add. To update an existing group type, select the check box near the group type and click the Edit icon. To delete an existing group type, select the check box near the group type and click the Delete icon.
If you clicked the Add button or the Edit icon, the Create/Update Group Types page is displayed.
Figure 4-39 Create or Update Group Type
Step 4 Enter the following information in this page for creating/updating the group type:
•Group Type Name—Name of the group type.
Note The group type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-) and underscore(_).
•Description—Description of the group type.
•Attributes—You can add multiple attributes to a group type by clicking Add Attribute.
Each group type attribute contains the following information.
–Attribute Name—Name of the attribute
–Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes types that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.
If you select a PIP attribute (such as DB PIP, LDAP PIP, and so on) while creating any entity types, which expects an input to be given, you must set the dollar values by clicking Set Query Details button. A pop up window appears which prompts you to evaluate the attribute values. Set the dollar values and click the Save button in the pop up window in order to create the entity type otherwise the entity type creation fails.
–Value Type—Select Single, if you want the attribute to return a single value. Select Multiple, if you want the attribute to return multiple values.
–Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an application. To this effect, the Attribute value field for the corresponding attribute in the Create Group Type page will be shown as a mandatory field. For example, a group type called General of attribute type Enum is created and the Mandatory field is set to Yes. While creating a group using this group type, you will find the General field as mandatory.
Step 5 Click Save to save the group type information in the PAP.
Role Management
The administration console simplifies the complex security administration by use of roles to organize access privileges. This operation is performed by using role hierarchies and constraints to configure a wide range of security policies. In the administration console, rights can be granted to an individual user as well as multiple users in a group or in a role to access various resources in the application.
CEPM provides two default roles under the application group level, such as,
•External Users—All users who are not in the CEPM database are by default mapped to this role. As a result, when you create an allow policy for this role on a resource, all external users can access that resource.
•Known Users—All users who are in the CEPM database are by default mapped to this role. If you create an allow policy for this role on a resource, all known users can access that resource.
Note You cannot map a role or assign users or groups to the default roles, such as, External User and Known User. When you try to edit these roles by clicking the edit button, you find the Role, Assign Users, and Assign Groups tabs become inactive.
Role Management functionality allows you to carry out the following functions related to the management of roles.
•List and search for roles
•Create or edit a role
•Delete role
•Import roles
•Export roles
•Create role types
•Add SoD roles
•Add DSoD roles
Listing or Searching for Roles
To view the list of roles or search for a role in a particular application, application group, or Global, follow these steps:
Step 1 Choose Manage Entities > Roles. The Role Management page is displayed.
Figure 4-40 Roles Page
Step 2 From the Select Application list, select an appropriate application, application group, or Global.
List of roles associated with the selected application, application group, or Global is displayed in the List Roles section.
Step 3 Search for a particular role in the Search section by role name.
Figure 4-41 Search Section
This section allows you to search for specific role depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria for searching for the role:
•Search for Role by Role Name
•Default
•Other available Role Types
Enter the value to search in the text box. You can also use the asterisk character (*) as a wild card character, as part of the search value.
Example: To get the list of all the roles having 'M' as the first character in their name, enter search value of M*, and click Search. The list of roles matching the search criteria and search value is displayed in the List Roles section.
Click Clear to clear the value entered in the search value text box.
Note Based on the selection of the Application the search result will be displayed. For example if Global is selected in the application list, the roles belonging to that application (that is Global) will be displayed in the search result.
You can click the following icons in the List Roles page to perform the operations described here:
|
Click the Create Role icon to create a new role under Global, application group, application, or role. For more information, refer to Creating or Updating a Role.
|
|
Click the Edit Role icon to edit the information of an existing role. For more information, refer to Creating or Updating a Role.
|
|
Click the Delete Role icon to delete a role. For more information, refer to Deleting a Role.
|
|
Click the Configure SoD Role icon to configure one or more roles under the selected application group, application, role or Global, as SoD roles. For more information, refer to Configuring SoD Roles.
|
|
Click the Configure DSoD Role icon to configure one or more roles under the selected application group, application, role or Global, as DSoD roles. For more information, refer to Configuring DSoD Roles.
|
|
Click the Import Role icon to import roles from an XML file into the selected application group or application. For more information, refer to Importing Roles.
|
|
Click the Export Role icon to export roles under the selected application group or application to an XML file. For more information, refer to Exporting Roles.
|
Creating or Updating a Role
To create/update a role in a particular application, application group, role, Global, follow these steps:
Step 1 Choose Manage Entities > Roles.
The Role Management page is displayed.
Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update a role.
Step 3 To create a new role, in the List Roles section, click the Create Role icon beside the application, application group, existing role, or Global under which you want to create the role. To edit an existing role, click the Edit Role icon near the role name. The Create/Update Role page is displayed.
Figure 4-42 Create/Update Role
Step 4 Enter the following information in this page for creating/updating the role.
•Role—Select either New Role or Reference (refer "Reference Role/Group" section for more information).
•Role Name—Name for the role.
Note The role names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), forward slash(/), asterisk(*), hypen(-), underscore(_) and at sign(@).
•Description—Description for the role.
•Role Status—Select either Static or Dynamic. If the Role Status selected is Dynamic, you can configure rules for the role by clicking the Advanced button. (For more information on Dynamic Role, refer to Dynamic Role/Group.)
•Reference—This is enabled only if you create the role as a Reference Role. Select the appropriate Reference Role from this list. (For more information on Reference Role, refer to Reference Role/Group.)
•Role Type—Select an appropriate role type for this role. By default, the value selected for the role type is Global:Default. You can create a new role type by clicking the Create New Role Type link beside this list box.Click View Attributes to see the attributes associated with the role type. You can set the values of these attributes for evaluation purpose.
Note In CEPM, the single quote (') character cannot be used in an attribute value. This is applicable to all the six entity types such as, user type, group type, role type, resource type, application type, and application group type.
Step 5 Click Save to save this information in the PAP.
Step 6 To assign this role to users, roles, and resources, click Next or click the appropriate tab i.e. Assign Users, Assign Groups or Assign Resources.
Step 7 Click Done after you have created/updated the new role and assigned it to appropriate users, groups or resources.
Note Assigning the new role to users, groups and resources is not mandatory on this page. This operation can also be done later using any of the following methods, after the role is successfully created in the PAP.
a. In the Role Management page (Manage Entities > Roles), click the Edit icon beside the role name, for which you want to assign users, groups, or resources. The Create/Update Role page is displayed. In this page, you can click the appropriate tab, Assign Users, Assign Groups, or Assign Resources, to assign this role to appropriate users, groups, or resources. You can also click Next to navigate through these tabs one by one.
b. You can click the Add Users to Roles and Add Groups to Roles links that are on the Manage Entities > Advanced > Entity Assignments section, to add users to roles and to add groups to roles.
Reference Role/Group
The Reference Role/Group functionality provides the mechanism to create the multiple copies of a role/group in the hierarchy of application groups, applications, groups, and roles in such a way that all the copies created are the references of the parent role/group. Thus, if the parent role/group is deleted, then all the related reference roles/groups also get deleted.
You cannot create a role/group by reference directly under an application group or an application. It can be created only under an existing role/group.
The Reference role/group is created while creating the role/group, by selecting the Reference option and the parent role name whose reference is to be created.
The following section describes in more detail about the way the reference role/group mechanism works.
Figure 4-43 Reference Role Hierarchy
If you want to add Role2 as a child of Role4 and Role5 in the preceding hierarchy, it is normally done by creating a new child role for Role4 and Role5 assigning it all the characteristics of Role2.
Instead of creating a new role, you can create the role as a reference of Role2 while adding it to Role4 and Role5.
Figure 4-44 Role addition
Though Role2 is displayed at different levels within the hierarchy, it is basically stored at a single place in PAP under Role1 and is referenced at different levels, under Role 4 and Role 5. All users added to Role1:Role2 at any level will still be reflected in all the Role2, for example, Role1:Role2, Role4:Role2 and Role5:Role2 will have the same set of users and the same set of Roles and policies. Role4:Role2 and Role5:Role2 will also inherit the roles/users/groups/policies from Role1:Role2.
Note that deleting the parent role (Role1:Role2) will delete all the referencing roles (Role4:Role2 and Role5:Role2).
Dynamic Role/Group
During the policy creation, when you want to apply the same set of rules for different policies, you can do so without repeating the rules-creation process by using Dynamic role/group. Dynamic role/group is created with the set of rules that you want to reuse in multiple policies.
Example: A Dynamic role called DynamicRole1 has been created with some rules. When you create an Allow policy for DynamicRole1 on the resource Resource1, the policy will inherit all the rules configured for the DynamicRole1 role.
Dynamic role/group is created while creating the role/group, by selecting the role/group status as Dynamic. Then click the Advanced button, which opens the Rule Editor page where you can configure the rules for the Dynamic role/group.
For information about configuring rules, refer to Add Rules to a Policy.
Assigning Users to a Role
After creating a role, you can assign Users to it.
Note You cannot assign a user or a user group to the default roles, such as, External User and Known User. When you try to edit these roles by clicking the edit button, you find the Role, Assign Users, and Assign Groups tabs as inactive.
To assign users to a role, follow these steps:
Step 1 On the Create/Update Roles page, click the Assign Users tab. The Assign Users page is displayed.
Figure 4-45 Assigning Users to Role
Step 2 If a large number of users are under the selected application, you can search for a particular user(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a user, enter the full name (not the fully qualified name) or first few characters of the user name, select the search user from the drop-down list and click Search. All the resources matching the search input are displayed.
Step 3 Select the appropriate role bundle from the Role Bundle list.
Step 4 Assign a context for the user-role association that you are going to create by clicking the Context icon near the context label. A list of contexts is displayed.
Step 5 Select the appropriate context from the list to apply the context to the user-role association.
The Assign Users page contains two list boxes side-by-side. The Users list box contains the users that are not assigned to the role. The Assigned Users list box contains the users that are assigned to the role.
Step 6 To assign a user to the role, select that user in the Users list box and click the Assign icon. The selected user is moved from the Users list to the Assigned Users list.
Step 7 To unassign the assigned users in the Assigned Users list box, click the user name and click the Unassign icon. The selected user is unassigned and it is moved from the Assigned Users list to the Users list.
Step 8 To set the role attribute and role attribute values to this user-role association, select the assigned user and click the Set Attribute Values icon near the actions label.
Step 9 Click Save to complete the user-role association.
Assigning Groups to a Role
After creating a role, you can assign groups to it.
To assign groups to a role, follow these steps:
Step 1 On the Create/Update Roles page, click the Assign Groups tab.
The Assign Groups page is displayed.
Figure 4-46 Assigning Groups to Role
Step 2 If a large number of groups are under the selected application, you can search for a particular group(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a group, enter the full name (not the fully qualified name) or first few characters of the group name, select the search group from the drop-down list and click Search. The groups matching the search input are displayed.
Step 3 Select the appropriate role bundle from the Role Bundle list.
Step 4 Assign a context for the role-group association that you are going to create by clicking the Context icon near the context label. A list of contexts is displayed.
Step 5 Select the appropriate context from the list to apply the context to the role-group association.
The Assign Group page contains two list boxes side-by-side. The Groups list box contains the groups that are not assigned to the role. The Assigned Groups list box contains the groups that are assigned to the role.
Step 6 To assign a group to the role, select that group in the Groups list box and click the Assign icon. The selected group is moved from the Groups list to the Assigned Groups list.
Step 7 To unassign the assigned groups in the Assigned Groups list box, click the group name and click the Unassign icon. The selected group is unassigned and it is moved from the Assigned Groups list to the Groups list.
Step 8 To set the role attribute and group attribute values to this role-group association, select the assigned group and click the Set Attribute Values icon near the actions label.
Step 9 Click Save to complete the role-group association.
Assigning Resources to a Role
After creating a role, you can assign resources to it.
To assign resources to a role, follow these steps:
Step 1 On the Create/Update Roles page, click the Assign Resources tab. The Assign Resources page is displayed.
Figure 4-47 Create or Update Role
Step 2 If a large number of resources are under the selected application, you can search for a particular resource(s) using the Search option. It is important to note that this Search option does not consider special character inputs. To search for a resource, enter the full name (not the fully qualified name) or first few characters of the resource name, select the resource from the drop-down list and click Search. All the resources matching the search input are displayed.
Step 3 Assign a context for the role-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed.
Step 4 Select the appropriate context from the list to apply the context to the role-resource association.
The Assign Resources page contains three list boxes side-by-side. The Resources list box contains the resources that are not assigned to the role. On the right side, the Allowed Resources and Denied Resources list boxes contain the resources that are assigned to the role, with either the Allowed permission or the Denied permission.
Step 5 To assign a resource to the role with Allowed permission, select that resource in the Resources list box and click the Assign icon. The selected resource is moved from the Resources list to the Allowed Resources list.
Step 6 To assign a resource to the role with Denied permission, select that resource in the Resources list box and click the Assign Denied Resources icon. The selected resource is moved from the Resources list to the Denied Resources list.
Step 7 To unassign the assigned resources in the Allowed Resources or Denied Resources list box, click the resource name and click the Unassign icon. The selected resource is unassigned and it is moved from the Allowed Resources or Denied Resources list to the Resources list.
Step 8 For the role-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.
You can click the following icons near the action label to perform the operations described here:
a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy.
b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm.
c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation.
d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes.
e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations.
Step 9 Click Save to complete the role-resource association.
Assigning Multiple Users to a Role
Refer to "Assigning Multiple Users to a Role" section.
Assigning Multiple Groups to a Role
Refer to "Assigning Multiple Groups to a Role" section.
Deleting a Role
The Role Management page (Manage Entities > Roles) allows you to delete roles that are already created under Global, application role, application, or role. Click the delete icon near the role name to delete that role from the PAP.
Importing Roles
You can import roles from an XML file into a particular application group or application in the PAP. The Import entity ability is level-specific. Importing application group entities can be done in application group level only. Likewise you can import application entities within applications only.
While importing roles you must ensure that the roles imported are specific to the selected application level (application groups or applications). This means importing of roles in the application group level must be done from the application group only. For example, you have two application groups (AppGrp1, AppGrp2) and two applications (App1 under AppGrp1 and App2 under AppGrp2). While using this feature you can import roles of AppGrp1 to AppGrp2 only and not to application level (App1 and App2). Similarly, it is applied to application level, that is, you can import roles from App1 to App2 but not to AppGrp2.
To import the roles in the PAP, follow these steps:
Step 1 Choose Manage Entities > Roles. The Role Management page is displayed.
Step 2 Select an appropriate application or application group under which you want to import the roles.
Step 3 In the List Roles section, click the Import icon beside the application/application group under which you want to import the roles. A dialog box for importing the roles information from XML file is displayed.
Figure 4-48 Import Roles
Step 4 Browse for the XML file, select it, and click Save. This imports the roles into the PAP.
Exporting Roles
You can export roles from a particular application group or application in the PAP to an XML file. The exported roles from an application group can be imported to other application group only and the same rule is applicable to applications.
To export the roles from PAP, follow these steps:
Step 1 Choose Manage Entities > Roles. The Role Management page is displayed.
Step 2 Select an appropriate application or application group from which you want to export the roles.
Step 3 In the List Roles section, click the Export icon beside the application or application group from which you want to export the roles. A dialog box for opening/saving the roles information in XML format is displayed.
Figure 4-49 Dialog Box
Step 4 Click Save to save the Roles.xml file to an appropriate location.
Note Data exported from V3.3.2.0 cannot be imported into the older version of CEPM such as V3.2.0.0
Role Types
You can classify roles with by creating role types under an application, application group, or Global. Creating a role type is optional because Default role type is already within the application at the Global level.
To create/update/delete a role type, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Types > Role Types. The Role Types page is displayed.
Figure 4-50 Role Type Page
Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update/delete a role type.
Step 3 To create a role type, click Add. To update an existing role type, select the check box near the role type and click the Edit icon. To delete an existing role type, select the check box near the role type and click the Delete icon. If you have clicked Add or the Edit icon, the Create/Update Role Types page is displayed.
Figure 4-51 Create or Update Role Type
You can enter the following information in this page for creating/updating the role type:
•Role Type Name—Name of the role type.
Note The role type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-) and underscore(_).
•Description—Description of the role type.
•Attributes—You can add multiple attributes to a role type by clicking Add Attribute.
Each role type attribute contains the following information.
–Attribute Name—Name of the attribute
–Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes types that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.
If you select a PIP attribute (such as DB PIP, LDAP PIP, and so on) while creating any entity types, which expects an input to be given, you must set the dollar values by clicking Set Query Details button. A pop up window appears which prompts you to evaluate the attribute values. Set the dollar values and click the Save button in the pop up window in order to create the entity type otherwise the entity type creation fails.
–Value Type—Select Single, if you want the attribute to return a single value. Select Multiple, if you want the attribute to return multiple values.
–Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating a role. To this effect, the Attribute value field for the corresponding attribute in the Create Role Type page will be shown as a mandatory field. For example, a role type called Tester of attribute type String is created and the Mandatory field is set to Yes. While creating a role using this role type, you will find the Tester field as mandatory.
Step 4 Click Save to save the role type information in the PAP.
Configuring SoD Roles
Separation of Duty (SoD) policies ensure that groups of users who have distinctly different roles cannot knowingly or un-knowingly conspire to circumvent regulatory or enterprise controls put in place. Separation of Duty (SoD) of roles ensures that the users who have distinctly different roles do not have access to the same set of users, user groups, and resources. The SoD constraint on roles is implemented to restrict the information misuse and prevent fraudulent activities in the organization. This feature is applicable for user-to-role mapping and group-to-role mapping
Consider an example of a user Mary who is mapped to a role Analyst. Analyst is SoD to another role called Broker. Once the Sod is configured, CEPM prevents mapping of Mary to the role Broker. In case the Mary is mapped to both of these roles quite before the SoD role configuration, CEPM provides you an option to check the SoD role violation for a user in Auditing & Reporting section. In this section, if you want to check SoD violations for Mary, you can find all the roles that are SoD to each other.
This is achieved during the configuration of SoD for the appropriate roles in the PAP. Any SoD roles violations during this configuration process can be checked in the PAP, in the Auditing and Reporting section: Auditing & Reporting > Audit SoD Violations > SoD Roles.
To configure the SoD roles in PAP, follow these steps:
Step 1 Choose Manage Entities > Advanced > Role Constraints > SoD Roles. The SoD Roles page is displayed.
Step 2 From the Select Application drop-down list, select an appropriate application, application group or Global. The list of all the roles in the selected application, application group or Global is displayed.
Step 3 Click the SOD Role icon near the role name that you want to configure for SoD.
The List of SoD Roles page is displayed containing two list boxes side-by-side. The Roles list box contains all the roles under the selected application, application group or Global, that are not configured for SoD. The SoD Roles list box contains the roles that are configured for SoD.
Figure 4-52 SoD Roles
Step 4 To configure a role for SoD with the role that was selected in the earlier page, select that role in the Roles list box and click the Assign SoD icon. The selected role is moved from the Roles list to the SoD Roles list.
Step 5 To unassign the assigned roles in the SoD Roles list box, click the role name and click the Unassign SoD icon. The selected role is unassigned and it is moved from the SoD Roles list to the Roles list.
Step 6 Click Done to complete the SoD configuration operation.
Note You cannot do the SoD Role mapping for a dynamic role. Only static roles are enlisted in the Roles table. But DSoD Role mapping is possible with a dynamic role.
Configuring DSoD Roles
Dynamic Separation of Duties (DSoD) of roles prevents two or more roles from accessing the same resource at run time, i.e. when a PEP User requests for a resource, the request is analyzed in the PDP for the DSoD role violation and if the violation is found, then that PEP User is restricted from accessing the requested resource.
The CEPM implements the DSoD constraint on roles to restrict the information misuse in the organization.
To configure the DSoD roles in PAP, follow these steps:
Step 1 Choose Manage Entities > Advanced > Role Constraints > DSoD Roles. DSoD Roles page is displayed.
Step 2 From the Select Application list, select an appropriate application, application group, or Global.
The list of all the roles in the selected application, application group, or Global is displayed.
Step 3 Click the DSoD Role icon near the role name that you want to configure for DSoD.
Figure 4-53 DSoD Roles
The List of DSoD Roles page is displayed containing two list boxes side-by-side. The Roles list box contains all the roles under the selected application, application group or Global, which are not configured for DSoD. The DSoD Roles list box contains the roles that are configured for DSoD.
Step 4 To configure a role for DSoD with the role that was selected in the earlier page, select that role in the Roles list box and click the Assign DSoD icon. The selected role will be moved from the Roles list to the DSoD Roles list.
Step 5 To unassign the assigned roles in the DSoD Roles list box, click the role name and click the UnAssign DSoD icon. The selected role is unassigned and it is moved from the DSoD Roles list to the Roles list.
Step 6 Click Done to complete the DSoD configuration operation.
Role Bundles
Role Bundles provide a mechanism to assign a set of roles to users/groups based on a context. These are very similar to context but only affects the user-role and group-role mapping. Role bundle, like context, provides a fine-grained authorization mechanism.
For example, Mary can be assigned to Role1 under RoleBundle1 in an application at the same time she can be mapped to Role2 under RoleBundle2 within the same application.
Unlike contexts, Role Bundles are flat structures. A role bundle can be created under an application, application group or Global. There is a Default role bundle present at the application/application group/Global level.
To create/update/delete a role bundle, follow these steps:
Step 1 Choose Manage Entities > Advanced > Role Constraints > Role Bundles. The Role Bundles page is displayed.
Figure 4-54 Role Bundle
Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update/delete a role bundle.
Step 3 To create a new role bundle, click Add. To update an existing role bundle, select the check box near that role bundle and click the Edit icon. To delete a role bundle, select the check box near that role bundle and click the Delete icon. If you have clicked Add or the Edit icon, the Create/Update Role Bundle page is displayed.
Figure 4-55 Create Role Bundle
Step 4 Enter the following information to create/update the role bundle.
•Role Bundle Name—Name of the role bundle.
•Role Bundle Description—Description of the role bundle.
Step 5 Click Add. The role bundle is saved in the PAP.
Resource Management
A resource is an entity that represents application component that can be protected from unauthorized access using authorization policies. Resources can be specific application software components managed by the container (for example, URLs, EJBs, and JSPs) or any business object in the application. Resources may have attributes, for example, bank accounts can have minimum deposit amount and maximum withdrawal amount limit per day. Resources are hierarchical and child resources inherit policies and attributes from their parent in the resource hierarchy.
CEPM introduces Resource Groups which are collections of resources of same resource types. The resource groups behave in the same manner as a regular resource, but any policy created on a resource group is applicable to the entire member resources within that group. This reduces the burden of creating the same policy on each individual resources and leverages the performance. Refer to Resource Group for more information on how to create, update, and view a resource group.
Resource Management functionality allows you to carry out the following functions related to the management of resources.
•List and search for resources
•Create or edit resources
•Create Resource Groups
•Create a resource from external sources
•Create resources with expression
•Delete resource
•Import resources
•Export resources
•Create resource types
Listing or Searching for Resources
To view the list of resources or search for a resource in a particular application, application group, or Global, follow these steps:
Step 1 Choose Manage Entities > Resources.
The Resource Management page is displayed.
Figure 4-56 Resource Page
Step 2 From the Select Application drop-down list, select an appropriate application, application group or Global. A list of resources associated with the selected application, application group or Global is displayed in the List Resources section. You can click the expand link to view all the resources that are in the list.
Note When there are large number of resources (say, in thousands) present under an application, you can view resources using pagination options such as `<< Prev' and `Next >>'. If you are using IE6 or IE7 browser, you may get an alert message after clicking the Next button multiple times (say 6-7 times) as shown in Alert Message:
Figure 4-57 Alert Message
You can temporarily avoid this problem in the following ways:
•Click **NO** to continue with your navigation. This scenario may repeat after some span of time.
OR
•Do the following Internet Explorer configurations
–Using a Registry Editor such as Regedit32.exe, open this key:
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Styles
If the Styles key is not present, create a new key called Styles.
–Create a new DWORD value called "MaxScriptStatements" under this key and set the value to the desired number of script statements (say 999999)
This setting will temporarily resolve this problem. It may reoccur once the number of script statements exceeds the given value.
Step 3 Search for a particular resource in the Search section by resource name.
Figure 4-58 Search Section
This section allows you to search for specific resource depending upon the search criteria that can be selected from the list box and the search value that can be entered in the text box. You can use the following search criteria for searching for the resource:
•Search for Resource by Name
•Other available Resource Types
Enter the value to search in the text box. You can also use the asterisk character (*) as a wild card character, as part of the search value.
Example: To get the list of all the resources having M as the first character in their name, enter search value of M*, and click Search. The list of resources having M as the first character in their name will be displayed in the List Resources section.
Click Clear to clear the value entered in the search value text box.
You can click the following icons in the List Resources page to perform the operations described below:
|
Click the Create Resource icon to create a new resource or a resource group under Global, application group, application, or existing resource. For more information, refer to Creating or Updating a Resource.
|
|
Click the Edit Resource icon to edit the information of an existing resource. For more information, refer to Creating or Updating a Resource.
|
|
Click the Delete Resource icon to delete a resource. For more information, refer to Deleting a Resource.
|
|
Click the Copy Resource icon to create a copy of an existing resource. For more information, refer to Copying a Resource.
|
|
Click the Create Resource from External Source icon to create a resource from external sources like WSDL- (Web Services Description Language) compliant XML documents and Web Services as well as from relational databases like Oracle and MS SQL Server. For more information, refer to Creating Resources from External Sources.
|
|
Click the Create Resource from Expression icon to create resources using expression. This feature is used for creating a resource hierarchy in the PAP by providing a single expression. For more information, refer to Creating Resources with Expression.
|
|
Click the Import Resource icon to import resources from an XML file under the selected application group, application, resource, or Global. For more information, refer to Importing Resources.
|
|
Click the Export Resource icon to export resources under the selected application group, application, resource, or Global, to an XML file. For more information, refer to Exporting Resources.
|
Creating or Updating a Resource
To create/update a resource under a particular application or existing resource, follow these steps:
Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.
Step 2 From the Select Application drop-down list, select an appropriate application, application group, or Global under which you want to create/update a resource.
Step 3 To create a new resource, in the List Resources section, click the Create Resource icon near the application or existing resource under which you want to create the resource. To update an existing resource information, click the Edit Resource icon near the resource name.
The Create/Update Resource page is displayed.
Figure 4-59 Create or Update Resource
Step 4 Enter the following information in this page for creating/updating the resource:
•Resource Name—Name for the resource.
Note The resource names have a limitation of 100 characters and the special characters allowed are hash(#), dollar($), ampersand(&), parenthesis[()], less than(<), greater than(>), tilde(~), apostrophe('), plus(+), asterisk(*), hypen(-), underscore(_) and at sign(@).It is important to note that you cannot include forward slash (/) in the resource name.
•Description—Description for the resource.
•Type—Select Regular to create a resource. To create a resource group, you must select Group as the type. Refer to Resource Group for more information on how to create, update, and view a resource group.
•Resource Status—Select either Active or InActive. InActive resources will not be accessible to any User. It is important to note that any child resources or actions created under an inactive resource become inactive until and unless anything to the contrary is defined.
Note Though the "Active" button is available, a resource created under Inactive resource will always be Inactive.
•Enable Xacml Logs—Check this checkbox to enable runtime log generation for the new resource. If you uncheck this, you cannot view any logs for this resource in the PAP console even though it is enabled in the parent application.
•Owner—This displays the owner name (Superuser or any PAP User name)
•Resource Type—Select appropriate resource type for the drop-down list.To create a resource select Global:UNTYPE from the drop-down list. You can create a new resource type by clicking the Create New Resource Type link beside this dialog box. Click View Attributes and Action to view the attributes associated with the resource type. You can set the attribute values for evaluation purpose.
Note In CEPM, the single quote (') character cannot be used in an attribute value. This is applicable to all the six entity types such as, user type, group type, role type, resource type, application type, and application group type.
•Click Save to save the above information in the PAP.
Step 5 To assign this resource to users, groups, and roles on this page, click Next or click the appropriate tab, Assign Users, Assign Groups, or Assign Roles.
Step 6 Click Done after you have created/updated the resource and assigned it to appropriate users, groups, or roles.
Note Assigning the new resource to users, groups, and roles is not mandatory on this page. This operation can also be carried out later using the Edit Resource functionality after the resource is successfully created in the PAP.
In the Resource Management page (Manage Entities > Resources), click the Edit resource icon beside the resource name for which you want to assign users, groups or roles. The Create/Update Resource page is displayed. On this page, click the appropriate tab, Assign Users, Assign Groups, or Assign Roles, to assign this resource to appropriate users, groups, or roles. You can also click Next to navigate through these tabs one by one.
Creating Resources from External Sources
The PAP provides the functionality to create resources from external sources like Web Services Description Language- (WSDL) compliant XML documents and Web Services as well as from relational databases like Oracle and MS SQL Server. This feature is useful while protecting WebServices and also protecting database tables using VPD Agent.
To create resources from external sources, follow these steps:
Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.
Step 2 Select the application under which you want to create resources from external sources.
Step 3 In the List Resources section, click the Create Resource from External Sources icon near the application name.
A page for creating resources from external resource is displayed. The Source Type list contains the two values: WSDL and Database.
Step 4 Select WSDL to create resources from a WSDL compliant documents or Web Services. Select Database to create resources from relational databases like Oracle or SQL Server.
Creating Resources from WSDL Source
Step 1 Select the Source Type as WSDL. The URL/File Name Type list box is displayed.
Step 2 If you want to create resources from an XML file, select File. The File text box is displayed where you can enter the location and name of the XML file containing the resources information to be created in the PAP.
Figure 4-60 Create Resource from WSDL Source
If you want to create a resource by calling a Web Service, select URL. The URL text box is displayed where you can enter the URL of the Web Service.
Step 3 Click Save to complete the resource creation using the selected WSDL source.
Creating Resources from Database Source
Step 1 Select the Source Type as Database. The Database Type list box is displayed.
Step 2 If you want to create resources from an Oracle database, select oracle. If you want to create resources from MS SQL Server database, select mssql.
After selecting the database, the following text boxes are displayed where you need to enter the database connection details.
Figure 4-61 Create Resource from Database Source
–Database URL—Database connection string. Example:
For Oracle—jdbc:oracle:thin:@localhost:1521:devbdb
For SQL Server—jdbc:sqlserver://localhost:3279; databaseName=cepm;SelectMethod=cursor
–Driver Name—Name of the database driver class. Example:
For Oracle—oracle.jdbc.driver.OracleDriver
For SQL Server—com.microsoft.sqlserver.jdbc.SQLServerDriver
–User Name and Password: Database user credentials to connect to the configured database.
Step 3 Click Connect to complete the resource creation process using the selected database.
Creating Resources with Expression
The PAP provides the functionality of creating a resource hierarchy under a particular application using an expression.
To create resources from external sources, follow these steps:
Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.
Step 2 Select the application under which you want to create resource hierarchy using an expression.
Step 3 Click the Create Resources with Expression icon.
Figure 4-62 Create Resource with Expression
Step 4 Enter the resource expression as explained here.
Figure 4-63 Resource Expression
•Resource Expression—Enter the resource names, each separated by a dot (.).
Example: Res1.Res2.Res3
The resource hierarchy that is created under the selected application will look as shown in Resource Hierarchy.
Figure 4-64 Resource Hierarchy
•Resource Type—Select the appropriate resource type.
•Apply Resource Type—Select either All or Leaf. If All is selected, then all the resources created will have the same resource type value as selected in the resource type list. If Leaf is selected, then the only the leaf resource will have the resource type that is selected in the resource type list and the rest of the resources created will have the resource type of Global:UNTYPE.
Step 5 Click Save. The resource hierarchy is created under the selected application.
Assigning Users to a Resource
After creating a resource, you can assign users to it.
To assign users to a resource, follow these steps:
Step 1 On the Create/Update Resources page, click the Assign Users tab. The Assign Users page is displayed.
Figure 4-65 Assigning Users to Resource
Step 2 Assign a context for the user-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed. Select the appropriate context from the list to apply the context to the user-resource association.
The Assign Users page contains three list boxes placed side-by-side. The Users list box contains the users that are not assigned to the resource. On the right side, the Allowed Users and Denied Users list boxes contain the users that are assigned to the resource, with either the Allowed permission or the Denied permission.
Step 3 To assign a user to the resource with Allowed permission, select that user in the Users list box and click the Assign Allowed Users icon. The selected user is moved from the Users list to the Allowed Users list.
Step 4 To assign a user to the resource with Denied permission, select that user in the Users list box and click the Assign Denied Users icon. The selected user is moved from the Users list to the Denied Users list.
Step 5 To unassign the assigned users in the Allowed Users or Denied Users list box, click the user name and click the Unassign icon. The selected user is unassigned and it is moved from the Allowed Users or Denied Users list to the Users list.
Step 6 For the user-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.
All this can be achieved by selecting the assigned user and clicking the appropriate icon near the actions label as explained here:
a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy.
b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm.
c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation.
d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes.
e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations.
Step 7 Click Save or Done to complete the user-resource association.
Assigning Groups to a Resource
After creating a resource, you can assign groups to it.
To assign groups to a resources, follow these steps:
Step 1 On the Create/Update Resources page, click the Assign Groups tab.
The Assign Groups page is displayed.
Figure 4-66 Create or Update Resource
Step 2 Assign a context for the group-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed. Select the appropriate context from the list to apply the context to the group-resource association.
The Assign Groups page contains three list boxes side-by-side. The Groups list box contains the groups that are not assigned to the resource. On the right side, the Allowed Groups and Denied Groups list boxes contain the groups that are assigned to the resource, with either the Allowed permission or the Denied permission.
Step 3 To assign a group to the resource with Allowed permission, select that group in the Groups list box and click the Assign Allowed Groups icon. The selected group is moved from the Groups list to the Allowed Groups list.
Step 4 To assign a group to the resource with Denied permission, select that group in the Groups list box and click the Assign Denied Groups icon. The selected group is moved from the Groups list to the Denied Groups list.
Step 5 To unassign the assigned groups in the Allowed Groups or Denied Groups list box, click the group name and click the Unassign icon. The selected group is unassigned and it is moved from the Allowed Groups or Denied Groups list to the Groups list.
Step 6 For the group-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.
All this can be achieved by selecting the assigned group and clicking the appropriate icon near the actions label as explained here:
a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy.
b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm.
c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation.
d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes.
e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations.
Step 7 Click Save or Done to complete the group-resource association.
Assigning Roles to a Resource
After creating a resource, you can assign roles to it.
To assign roles to a resource, follow these steps:
Step 1 On the Create/Update Resources page, click the Assign Roles tab.
The Assign Roles page is displayed.
Figure 4-67 Assigning Resource to Roles
Step 2 Assign a context for the role-resource association that you are going to create by clicking the Context icon. A list of contexts is displayed. Select the appropriate context from the list to apply the context to the role-resource association.
The Assign Roles page contains three list boxes side-by-side. The Roles list box contains the roles that are not assigned to the resource. On the right side, the Allowed Roles and Denied Roles list boxes contain the roles that are assigned to the resource, with either the Allowed permission or the Denied permission.
Step 3 To assign a role to the resource with Allowed permission, select that role in the Roles list box and click the Assign Allowed Roles icon. The selected role is moved from the Roles list to the Allowed Roles list.
Step 4 To assign a role to the resource with Denied permission, select that role in the Roles list box and click the Assign Denied Roles icon. The selected role is moved from the Roles list to the Denied Roles list.
Step 5 To unassign the assigned roles in the Allowed Roles or Denied Roles list box, click the role name and click the Unassign icon. The selected role is unassigned and it is moved from the Allowed Roles or Denied Roles list to the Roles list.
Step 6 For the role-resource association, you can also assign rules, configure the Policy Combining Algorithm, set attributes to return, and set policy attributes. You can also edit the existing policy.
All this can be achieved by selecting the assigned role and clicking the appropriate icon near the actions label as explained here:
a. Add rule: Click the Add Rule icon. The pop-up page for adding the rules information is displayed. For more information, refer to Add Rules to a Policy.
b. Configure the Policy Combining Algorithm: Click the Policy Combining Algorithm icon. The pop-up page for configuring the Policy Combining Algorithm is displayed. For more information, refer to Policy Combining Algorithm.
c. Add attributes to return: Click the Add attributes to return icon. The pop-up page for adding the attributes to return is displayed. For more information, refer to Set attributes to be returned as obligation.
d. Add policy attributes: Click the Add policy attributes icon. The pop-up page for adding the policy attributes is displayed. For more information, refer to Set Policy Attributes.
e. Edit policy: Click the Edit Policy icon. The pop-up page for editing the policy information is displayed. For more information, refer to Edit Policy Configurations.
Step 7 Click Save or Done to complete the role-resource association.
Deleting a Resource
The Resource Management page (Manage Entities > Resources) allows you to delete resources that are already created under Global, application resource, application, or resource. Click the delete icon near the resource name to delete that resource from the PAP.
Copying a Resource
Using Copy Resources functionality, you can create a copy of an existing resource and place it as a child resource of any other resource inside the same application. The attributes and properties of the copied resource are identical to the original resource, the copied resource inherits the resource hierarchy and actions of the parent resource. The Copy Resource operation does not copy the policies defined on the original resource.
To create a copy of an existing resource in the Resource Management page, follow these steps:
Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.
Step 2 Select an appropriate application, application group or Global under which the resource to be copied exists.
A list of all the resources in the above selected application group, application, resource or Global is displayed. You can search for the resource that you want to copy.
Step 3 In the List Resources section, double-click the Copy Resource icon near the resource name whose copy you want to create. A blue image containing the name of the selected resource is displayed near the cursor.
Step 4 Click the resource under which you want to create the copy of the earlier selected resource. The copy of the earlier selected resource is now created under this resource.
Importing Resources
You can import resources from an XML file into a particular application in the PAP.
To import the resources in the PAP, follow these steps:
Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.
Step 2 Select an appropriate application under which you want to import the resources.
Step 3 In the List Resources section, click the Import icon beside the application under which you want to import the resources.
A dialog box for importing the resources information from XML file is displayed.
Figure 4-68 Import Resource
Step 4 Browse for the XML file, select it, and click Save. The resources are imported into the PAP under the selected application.
Exporting Resources
You can export resources from a particular application group/application in PAP to an XML file.
To export the resources from PAP, follow these steps:
Step 1 Choose Manage Entities > Resources. The Resource Management page is displayed.
Step 2 Select an appropriate application or application group from which you want to export the resources.
Step 3 In the List Resources section, click the Export icon which is beside the application or application group from which you want to export the resources.
A dialog box for opening/saving the resources information in XML format is displayed.
Step 4 Click Save to save the Resources.xml file to the appropriate location.
Creating, Updating, or Deleting a Resource Type
The PAP provides the functionality of classifying resources by creating resource types under an application, application group, or Global. Creating a resource type is optional, because the PAP provides two default resource types, UNTYPE and ACTION, at the Global level.
A resource type can have actions and attributes. Actions are the tasks in your business policy that can be executed on a resource. For example, the WebLogic Portlet resource can have actions such as, Maximized, Minimized, Delete, Edit, and View. Attributes contain the information about the characteristics of the resource. For example, filetype can be a resource attribute that can be used to define an html, image, or pdf file type.
To create/update/delete a resource type, follow these steps:
Step 1 Choose Manage Entities > Advanced > Entity Types > Resource Types.
The Resource Types page is displayed.
Figure 4-69 Resource Type Page
Step 2 From the Select Application list, select an appropriate application, application group, or Global for which you want to create/update/delete a resource type.
The page displays a list of existing resource types for the selected application, application group, or Global.
Step 3 To create a resource type, click Add. To update an existing resource type, check the check box near the resource type and click the Edit icon. To delete an existing resource type, check the check box near the resource type and click the Delete icon.
If you click the Add or the Edit icon, the Create/Update Resource Types page is displayed.
Figure 4-70 Create or Update Resource Type
You can enter the following information in this page for creating the resource type:
•Resource Type Name—Name of the resource type.
Note The resource type names have a limitation of 100 characters and the special characters allowed are asterisk(*), hypen (-), and underscore(_).
•Description—Description of the resource type.
•Select—Select Actions to create the actions for this resource type. Select Attributes to create the attributes for this resource type. Creating actions and attributes for a resource type is optional. You can also create actions and attributes for a resource type by clicking the Add More button to add an Action or an attribute to the resource type.
Each resource type of Action contains the following information.
–Action Name—Name of the action
Each resource type of Attribute contains the following information.
–Attribute Name—Name of the attribute
–Attribute Type—Select the attribute type from the drop-down list, which contains all the attributes types that exist under the repository. If you select enum as type, you must set the enumeration values to the attribute by clicking the View Query button.
If you select a PIP attribute (such as DB PIP, LDAP PIP, and so on) while creating any entity types, which expects an input to be given, you must set the dollar values by clicking Set Query Details button. A pop up window appears which prompts you to evaluate the attribute values. Set the dollar values and click the Save button in the pop up window in order to create the entity type otherwise the entity type creation fails.
–Value Type—Select Single if you want the attribute to return a single value. Select Multiple if you want the attribute to return multiple values.
–Mandatory—Set the Mandatory field to either Yes or No. When set to `Yes', you must give the attribute value while using this attribute in creating an resource. To this effect, the Attribute value field for the corresponding attribute in the Create Resource page will be shown as a mandatory field.
Step 4 Click Save to save the resource type information in the PAP.
Resource Group
In CEPM, while defining entitlements on the resources, the PAP user picks up each single resource and defines policy and subsequent rules on that resource. When the number of resources is high (say in thousands), performing the same operation for every single resource proved to be a tedious and time consuming exercise. To overcome this, the resource group feature offers a more convenient way to define entitlement policies on a collection of resources through a single instance. Resources, of a particular type, can be grouped together to facilitate the ease of managing entitlements to a group of resources. A resource group holds the same resource type as the resources that the group is composed of.
A resource group can be created in two ways—
•Adhoc
•Rule based
The resource group inherits attributes from the resource type that is associated with the group. Additional actions can be created on the resource group as in case of normal resources.
Adhoc Resource Group
An Adhoc creation allows the user to select resources of the same resource type as the resource group to be members of the group. In this case, the group membership of a resource is determined on the basis of the mapping done under the Assign Resources functionality in the PAP UI.
Rule Based Resource Group
A rule based creation of resource group allows the user to specify a complex rule or simple rule that must be evaluated to true to determine the membership of the resources. During runtime, the membership of a Rule Based Resource Group is determined by two conditions. First, the resources must be of the same resource type as specified in the resource group. Second, the resources must satisfy the rules defined on the resource group.
For instance, a simple rule can be defined as -
ResourceType.owner = `John'
- where Owner is an attribute of the resource group or resource type.
The simple or complex rules thus defined are shared across the application on PAP.
During runtime, the policy on the resource group is applied to only those resources which are satisfying the rules defined for the rule based resource group that means the resources with a key value pair as "owner" and "John" respectively can participate in the policy evaluation.
Note When the policy cache is enabled, the rules created for rule based resource group cannot be shared or reused thus are not listed in the rules dropdown lists available in Create Rules page in Manage Entitlements section of the PAP UI.
Creating a Resource Group
You can create a resource group under an application or a resource but not under a resource group. Only Actions can be created under a resource group. The Create/Update Resource page under the Manage Entities section of the PAP UI also provides the platform to create the resource group.
It is assumed that the resource hierarchy and the resource types are already in place before creating the resource group.
Creating an Adhoc Resource Group
To create an Adhoc resource group, follow these steps:
Step 1 Navigate to Home > Manage entities > Resources.
Step 2 Select the application or the resource under which you want to create the resource group, for example, Prime group:Prime portal.
Step 3 Click the Create Resource icon of the selected application.
Step 4 The Create/Update Resources page appears. The Parent Resource field displays the fully qualified name of the selected resource.
Figure 4-71
Create Adhoc Resource Group
Step 5 Enter the name and a brief description of the Resource group in the Resource Name and the Description fields respectively.
Step 6 In the Type field, select Group by clicking the Group radio button. A new field called Group Membership appears under the Type field.
Step 7 In the Group Membership field, click the Adhoc radio button to create the Adhoc resource group. This activates the Assign Resources button in the bottom of the screen which is initially in the inactive state.
Step 8 Select the required Resource Status to either Active or Inactive. Refer to create resource section for more details.
Step 9 Set the Enable Xacml Logs to true by selecting the checkbox. Refer to create resource section for more details.
Step 10 Select the resource type from the Resource Type dropdown list. The Actions and the Type attributes sections display the attributes and actions created under the selected resource type.
Note A resource group cannot be of the type Action.
Step 11 Click Assign Resources button. This opens a new page which enables you to map the appropriate resources with the resource group.
Figure 4-72
Assign Resources
This page contains two sections such as Assign Resources to Resource Group and Mapping. The Assign Resources to Resource Group section displays the resource group details. In the Mapping section, the Resources table contains only those resources which have the same resource type as the resource group holds. For example, if the resource group is created using MyResType as the resource type, the Mapping table lists all the resources of type MyResType.
Step 12 Move the desired resources from the Resources table to the Assigned Resources table using the right arrow (blue) button.
Figure 4-73
Move resources
In this figure you can see the resources Res1 and Res2 are assigned to the resource group.
Step 13 Click Save. This assigns the resource group membership to the selected resources.
Step 14 Click Done to complete the Adhoc resource group creation process. At this stage, you can also move forward and assign users, groups and roles to the resource group by clicking Next.
This creates the necessary Adhoc resource group.
Creating a Rule Based Resource Group
To create a Rule Based Resource Group, follow these steps:
Step 1 Follow the steps 1 through 6 as mentioned in Creating an Adhoc Resource Group.
Step 2 In the Group Membership field, click the Rule Based radio button to create the rule based resource group. This activates the Advanced button in the bottom of the screen which is initially in the inactive state.
Figure 4-74 Create Rule Based Resource Group
Step 3 Select the Resource Status to either Active or Inactive.
Step 4 Set the Enable Xacml Logs to true by selecting the checkbox.
Step 5 Select the resource type from the Resource Type dropdown list.
Step 6 Click Advance to set rule for the resource group. The Create Rules page appears.
Figure 4-75
Create Rules for Rule based resource group
As a matter of practice, you must create one or more simple rules and define the complex rule using these simple rules before associating it with the policy.
Step 7 To create a simple rule, click the Simple Rules link in the Resource Information section. The Simple Rule page appears.
Figure 4-76 Create Simple Rule
Step 8 Create the necessary rules for the resource group by entering the name of the rule and setting the parameters such as LHS, RHS, and the operator. For example, a simple rule called SR1 may look like—
"RESOURCE:MyResType:Owner" "equal to" "John"
You can add more simple rules by using the Add More button.
Step 9 Click Set Rules after creating the required simple rules. This gets you back to the Rule creation page
Step 10 Workout the complex rule using the simple rules by entering the name of the complex rule and selecting the simple rules with the necessary operator.
Figure 4-77
Create Complex Rule
In this example scenario, a complex rule called CR1 has been created using the simple rule SR1.
Step 11 Select CR1 in the Simple Association section.
Step 12 Click Set Rules.
This creates the necessary rule based resource group.
Viewing Resource Group
Resource groups appear as siblings of regular resources in the resource tree. Resource groups cannot have child resources or sub-groups but they can have actions as child nodes. The Resources page (Home > Manage Entities > Resources) lists the resources as well as the resource groups created under the selected application. Resource groups are identified by the symbol in the resource tree.
Figure 4-78
View Resource Group
Updating a Resource Group
You can update the following attributes of an existing resource:
•Resource Name: The resource group name can be updated.
•Description: The resource group description can be updated.
•Type: The type of a resource group cannot be changed from Group to Regular.
•Group Membership: Resource membership policy can be switched from Adhoc to rule based or vice-versa. In this case, all current memberships are overridden under the new policy.
•Resource Status: You can update the status of an existing resource group to active or inactive.
•Enable Xacml Log: You can enable or disable XACML logs for a selected resource group.
•Resource Type: It is important to note that you cannot update the resource type of an Adhoc resource group. But it is possible in case of a rule based resource group. However, the attribute values of the resource type to which the group belongs can be updated in both the cases.
Apart from the above, you can manipulate the member resources of an Adhoc resource group through inclusion or exclusion of resources by using the Assign Resources button. In case of rule based resource group, you can update the rules (both simple and complex).
In the PAP UI, to update a resource group:
Step 1 Navigate to Home > Manage Entities > Resources.
Step 2 In the Resources Page, select the resource group which you want to update and click the Edit button. The Create/Update Resources page appears.
Step 3 After updating the required fields choose the following task:
a. In case of Adhoc resource group, click the Assign Resources button to add or remove member resources or
b. In case of Rule Based Resource Group, click Advance button to update the rules.
Step 4 Click Done to update the resource group.
Deleting a Resource Group
You can delete a resource, whereupon the member resources remain un-affected. Policies created on the resource group and the member resources cease to exist after deleting a resource group.
In the PAP UI, to delete a resource group:
Step 1 Navigate to Home > Manage Entities > Resources.
Step 2 In the Resources Page, select the resource group which you want to update and click the Delete button. A message window pops up. Click Yes to confirm the deletion.
Policy Creation on Resource Group
You can create entitlement policies on a resource group as done in case of regular resources. A policy can be a user-based, role-based, and group-based. In case of role-based and group-based policies, dynamic roles and groups are also considered. A resource group inherits policies from its parent resource.
A policy thus created has the same semantic content as any other CEPM policy, which implies the inclusion of the association of attribute collections as obligations to the policy and specification of time constraints for the applicability of the policy. Refer to Chapter 5 "Manage Entitlements" of the CEPM User Guide for more details about creating policies.
There are instances where a resource can have membership across multiple resource groups. This creates a conflict among the policies set on the resources and the resource groups. For instance, a resource Res1 is a member of resource groups RG1 and RG2. User John has an Allow policy on RG1 and a Deny policy on RG2. When a request for John to access Res1 hits the PDP, the PDP checks both of these resource groups of which Res1 is a member and it finds an Allow as well as a Deny policy. In this situation, it gives the decision after considering the Resource Group Policy Combining Algorithm which is set on top of the resource Res1. Refer to Resource Group Policy Combining Algorithm for more information.
Application Attributes
The Manage Entities section allows you to add, update, delete, and view the application attributes to the already created application attribute sources. Refer to Application Attribute Source for more information.
Prehook Handlers
In CEPM, when an event triggers, an handler plugs that event. This is called prehook handler and programmatically this interface is called IHandler.
When any event takes place within the PAP, the handler instantiates an object to that effect. If the handler throws an exception, the triggered event will not occur in the PAP console.
The prehook handler is application-specific, that is, the handler can be invoked for all or few selected application(s) configured with a handler. You must update the <handlers> tag of the pap_config.xml file to this effect. This limits the calling of the handler only in case of events triggered in the specified applications. The <handler> tag takes an attribute as application that can be set to * (for all applications) or a single application name or multiple application names separated by comma.
Here is the sample <handler> tag in pap_config.xml.
<sessionuser>superuser</sessionuser>
<sessionpassword>admin</sessionpassword>
<handler name="UserHandler" enabled="true" type="*.*" application="Prime
group:Prime portal">
<impl>com.cisco.epm.util.handler.UserHandler</impl>
The prehook handler supports consolidated event notification. In case of selecting multiple objects in the console, for instance, the user-role mapping where multiple users are selected and mapped to a specified role, the handler consolidates the multiple mappings as a single event and wraps all corresponding objects into an array-list object and returns as a single object.
Similarly, the handler also works for the following operations:
1. User-based entitlement
2. Assign resources
3. Role-based entitlement
4. Group-based entitlement
5. Group role mapping
6. Group role assignment
7. User role mapping
8. User group mapping
9. User role assignment
10. Bulk user deletion
Here is a sample code for IHandler:
com.cisco.epm.admin.sdk.IHandler;
public interface IHandler
void init(Properties props);
void handle(Object obj, ActionEvent event)throws HandlerException
void rollback(Object obj, ActionEvent event);
The IHandler defines the life cycle methods for the hook as explained below:
1. The init() method is called by the framework during startup, to pass in all the properties that can be configured in the configuration file. These properties can be any arbitrary name-value pairs.
For example, you wants to write the policy details to database, when these events are taking place, you can give the database properties here as:
<username>cepmtest</username>
<password encrypted="false'>test123</password>
<url>jdbc:oracle:thin:@localhost:1521:devbdb</url>
<driver>oracle.jdbc.driver.OracleDriver</driver>
The database can be initialized in the init method of the handlerImpl class.
2. The handle(Object obj,ActionEvent event) method is called with every event configured in the pap_config.xml file. Event Table describes the events that are configured in the pap_config.xml file:
Table 4-1 Event Table
Type
|
Policy Mapping
|
ResourceRoleMapping
|
Resource-based
|
RoleResourceMapping
|
Role-based
|
UserResourceMapping
|
User-based
|
GroupResourceMapping
|
Group-based
|
UserRoleMapping
|
User role mapping
|
UserHandler
|
User creation, update, delete
|
RoleHandler
|
Role creation, update, delete
|
GroupHandler
|
Group creation, update, delete
|
GroupRoleMapping
|
Mapping of a group to role
|
UserGroupMapping
|
Mapping a user to group
|
*.*
|
All mapping to true
|
The object holds the value object with required values from the action taking place. When you create a user-/role-/group-based policy on an application using the createPolicy method, you get the policy object. But when such a policy is created on one or more resources (entity to resource mapping) using mapUser/mapGroup/mapRole method, you will get the corresponding entity object. For example, if a user is mapped to multiple resources, you will get the user object, which contains an array of resources.
Note Custom Handlers—You can customize any handler name by modifying the <handlers> tag of pap_config.xml as well as the corresponding handler name in the apiconfiguration.xml file. Make sure that the custom handler name must match in both of these files failing which may throw errors or exceptions. For example, if you want to change the 'UserResourceMapping' handler to 'User Policy Handler', you must modify these files in the following manner:
•In pap_config.xml file change the handler tag-
<handler name="UserResourceMapping" enabled="true" type="*.*" application="Prime
group:Prime portal">
to
<handler name="UserPolicyMapping" enabled="true" type="*.*" application="Prime
group:Prime portal">
The corresponding API tag in apiconfiguration.xml file is as follows:
<api name="MappingImpl:mapUserToResources" prehook-rollback="false"
posthook-rollback="false">
<handlerName>UserResourceMapping</handlerName>
<actionType>MapUserToResources</actionType>
<actionSource>com.cisco.epm.pap.api.vo.User</actionSource>
Change the <HandlerName> tag:
<handlerName>UserResourceMapping</handlerName>
to
<handlerName>UserPolicyMapping</handlerName>
3. The rollBack(Object obj,ActionEvent event) method is a call back method that is called by the framework when the handle method fails to persist the data in the product's database.
4. The destroy() method gets invoked at the time of server shutdown. The lifecycle of a handler ends with invoking the destroy() method, which is called by the framework when the PAP is shut down. This allows the handler to clean up the resources it is currently using.
Sequence of Handlerimpl Execution
When the handlerimpl class calls a handler method to perform a task and the handle method fails to execute, it will not perform the framework task and throws a HandlerException.
If the handler method is performed successfully, but the framework event is failed, this will rollback the event performed by the handlerimpl's handle method.
Import/Export
CEPM now supports selective import/export of any data to/from the entitlement repository. You can import/export a single or multiple entities to/from a particular application, application group or Global level.
Import Entities
To import the entities, follow these steps:
Step 1 From the Select Application drop-down, select the required application group, application or Global into which you want to import entities. It is important to note that, selecting Global will allow you to import entities which were exported under Global level only.Similarly, if you select an application group, you can import entities which are exported from other application group and not from any application.
Step 2 Select one or more entities from the Entities list.
Step 3 Browse for the individual entitiy.xml (for example, Users.xml) or Entities.zip or XacmlPolicies.zip file to be imported.
Step 4 Select any of the following options available under Import button:
•Import Selected Entities—allows you to import the selected entities into the selected application group/application.
•Import All—allows you to import all the entities into the selected application/application group irrespective of the level from where the entities are exported. For example, if you select Import All option for an application and try to import entities which were exported from an application group, the entire entities will get imported under the selected application.
•Import Policies—allows you to import the policies belonging to the application/application group.
This imports the required entities into the selected application.
Note If a policy is formulated using a RegEx PIP rule with a regular expression that contains a comma, for example, '[a-z,A-Z,0-9,:]*', that policy cannot be imported while importing the application.
Export Entities
To export entities, follow these steps:
Step 1 From the Select Application drop-down, select the required application group, application or Global from which you want to export entities. It is important to note that, selecting Global will allow you to export entities which are created under Global level only. Likewise, if you select an application group, you can export entities which are created under the application group and under Global level. Again, if an application is selected, only the entities created under all levels (Global, Application group and Application) get exported.
Step 2 Select the one or more entities from the Entities list.
Step 3 Select any of the following options available under Export button:
•Export Selected Entities—allows you to export the selected entities from the selected application. If you select a single entity from the list, the data will be exported in an xml file. For example, if you select User from the entities list, Users.xml file will be exported. But if you select User, Role and Group, the entities get exported in a zip file i.e. Entities.zip.
•Export All—allows you to export all the entities belonging to the selected application group/application. If you select an application group, you can export entities which are created under the application group including the applications. If you select Global, only Global level data will be exported.
•Export Policies—allows you to export the policies belonging to the application group/application. If you select Application group, the policies created under the applications constituting the group will be exported.
Note You cannot export policies for an individual entity. When you click this option, all the policies irrespective of the entities are exported.
Step 4 Browse the appropriate target location to save the exported file.
This will create an xml for a single entity (for example, Users.xml), Entities.zip for multiple entities or XacmlPolicies.zip for policies in the targeted location.
Feedback
