6.3.2 Creating Access Gateway Authorization Policies

An Authorization policy specifies conditions that a user must meet to access a resource or to be denied access to a resource. Access Gateway enforces these conditions.

To create an Authorization policy:

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the policy, then select Access Gateway: Authorization for the type of policy.

  4. Specify the following details:

    Description: (Optional) Describe the purpose of this rule.

    Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and the lowest priority is 10. If two rules have the same priority, a Deny rule is applied before a Permit rule.

  5. In the Condition Group 1 section, click New, then select one of the following:

    • Authentication Contract: Allows you to control access based on the contract the user used for login. See Authentication Contract Condition.

    • Client IP: Allows you to control access based on the IP address of the client making the request. See Client IP Condition.

    • Credential Profile: Allows you to control access based on the credentials the user specified during authentication. See Credential Profile Condition.

    • Current Date: Allows you to control access based on the date of the request. See Current Date Condition.

    • Day of Week: Allows you to control access based on the day the request is made. See Day of Week Condition.

    • Current Day of Month: Allows you to control access based on the month the request is made. See Current Day of Month Condition.

    • Current Time of Day: Allows you to control access based on the time the request was made. See Current Time of Day Condition.

    • HTTP Request Method: Allows you to control access based on the request method. See HTTP Request Method Condition.

    • LDAP Attribute: Allows you to control access based on the value of an LDAP attribute. See LDAP Attribute Condition.

    • LDAP OU: Allows you to control access based on the value of an LDAP organizational unit. See LDAP OU Condition.

    • Liberty User Profile: Allows you to control access based on the value of a Liberty attribute. See Liberty User Profile Condition.

    • Roles: Allows you to control access based on the roles a user has been assigned. See Roles Condition.

    • Risk Score: Allows you to define a condition group as part of the authorization policy that uses the risk score from Identity Server to protect a resource. See Risk Score.

    • URL: Allows you to control access based on the URL in the request. See URL Condition.

    • URL Scheme: Allows you to control access based on the scheme in the URL of the request (for example, HTTP or HTTPS). See URL Scheme Condition.

    • URL Host: Allows you to control access based on the hostname in the URL of the request. See URL Host Condition.

    • URL Path: Allows you to control access based on the path in the URL of the request. See URL Path Condition.

    • URL File Name: Allows you to control access based on the filename in the URL of the request. See URL File Name Condition.

    • URL File Extension: Allows you to control access based on the file extension in the URL of the request. See URL File Extension Condition.

    • Virtual Attribute: Allows you to control access based on the value of the virtual attribute. See Virtual Attribute Condition.

    • X-Forwarded-For IP: Allows you to control access based on the value in the X-Forwarded-For IP header of the HTTP request. See X-Forwarded-For IP Condition.

    • Condition Extension: (Conditional) If you have loaded and configured an authorization condition extension, this option specifies a condition that is evaluated by an outside source. This outside source returns either True or False. See the documentation that came with the extension for information about what is evaluated.

    • Data Extension: (Conditional) If you have loaded and configured an authorization data extension, this option specifies the value that the extension retrieves. You can then select to compare this value with an LDAP attribute, a Liberty User Profile attribute, a Data Entry Field, or another Data Extension. For more information, see the documentation that came with the extension.

  6. To add multiple conditions to the same rule, either add a condition to the same condition group or create a new condition group. For information about how conditions and condition groups interact with each other, see Using Multiple Conditions.

  7. In the Actions section, select one of the following:

    • Permit: Allows the user to access the resource.

    • Redirect: Specify the URL to which you want users redirected when they meet the conditions of this policy.

      To add a query parameter to the redirected URL when accessing a protected resource with a query parameter, append the configuration with?@@@.

      Example: You are accessing a protected resource with URL: https://www.agcluster.com:443/?q=%2Fm%2F030q7&date=now%207-d and you want to append a query parameter q=%2Fm%2F030q7&date=now%207-d to the redirected URL. To achieve this, configure the redirect URL as https://trends.google.com/trends/explore?@@@.

    • Re-authenticate with Contract: Select the action to be performed after execution of the rule. If you select Re-authenticate with Contract, select the contract to be used.

      NOTE:If Redirect is configured as an Authorization policy action and you attempt to configure Re-authenticate with Contract option instead of Redirect, no contracts are displayed.

      To workaround this issue, Select Permit or Deny and then select Re-authenticate with Contract. The list of contracts are displayed

    • Deny: Select one of the following deny actions:

      Display Default Deny Page: Displays a generic message, indicating that the user has insufficient rights to access the resource.

      Deny Message: Allows you to provide a customized message that is displayed to users who are denied access.

      Redirect to URL: Allows you to specify a URL that users are redirected to when they are denied access. For example:

      http://www.novell.com
    • Action Extension (Permit): Select an action from the list of permit extensions. This action permits access to the resource and performs the additional action that the extension is designed to perform. If an action extension is not available, see Adding Policy Extensions for information about uploading, configuring, and importing extensions.

    • Action Extension (Deny): Select an action from the list of deny extensions. This action denies access to the resource and performs the additional action that the extension is designed to perform. If a deny extension is not available, see Adding Policy Extensions for information about uploading, configuring, and importing extensions.

  8. (Conditional) If you have installed an action obligation extension, click New and select the action. This causes the extension to perform the specified action whenever a user matches the conditions of this rule. This type of action is usually configured in addition to a permit or deny action. If the obligation option is not available, see Adding Policy Extensions for information about uploading, configuring, and importing extensions.

  9. Click OK > OK > Apply Changes.

  10. Assign the policy to a protected resource. See Assigning an Authorization Policy to a Protected Resource.