The policy action specifies the role to which the user is assigned. Roles are activated at the time the role policy is evaluated. Select one of the following actions:
Select Activate Role when you want to specify a name for the role. If you are creating a role that needs to injected into an HTTP header, use the same capitalization format as the web server expects. For example, if the web server expects an Employee role with an initial capital, name your role Employee.
To use the same conditions to activate multiple roles, select Activate Role for each role you want to specify.
Select Activate Selected Role when you want to obtain the role value from an external source. Select one of the following:
LDAP Attribute: If you have an LDAP attribute that is a role, select the attribute from the list. If the attribute is not in the list, select New LDAP Attribute to add it to the list.
LDAP Group: Activates a role based on an LDAP Group attribute. Select either [Current] or browse to the DN of the group by selecting Identity Server and User Store. The value for this option is the DN of the group. If you select [Current], the value can be a list of the groups the user belongs to. The [Current] value makes the DN of each group in the attribute into a role.
If you select to browse to the DN of the group and you have more than 250 groups in your tree, you are prompted to enter an LDAP query string. In the text box, you need to add only the <strFilter> value for the query. For example:
<strFilter> Value |
Description |
---|---|
admin* |
Returns all groups that begin with admin, such as adminPR, adminBG, and adminWTH. |
*test |
Returns all groups that end with test, such as doctest, softtest, and securtest. |
*low* |
Returns all groups that have “low” in the name, such as low, yellow, and clowns. |
For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.”
This action does not query all the static and dynamic groups on the LDAP server to see if the user belongs to them, but uses the user’s group membership attribute to create the list. If you want to use this longer query, you need to create a policy extension. For a sample extension that does this, see Access Manager SDK Sample Code.
LDAP OU: Activates a role based on the Organizational Unit in the user’s DN. Select either [Current] or browse to the DN of the OU by selecting Identity Server and User Store. The value for this option is the DN of the OU.
If you select to browse to the DN of the OU and you have more than 250 OUs defined in your tree, you are prompted to enter an LDAP query string. In the text box, you need to add only the <strFilter> value for the query. For example:
<strFilter> Value |
Description |
---|---|
admin* |
Returns all OUs that begin with admin, such as adminPR, adminBG, and adminWTH. |
*test |
Returns all OUs that end with test, such as doctest, softtest, and securtest. |
*low* |
Returns all OUs that have “low” in the name, such as low, yellow, and clowns. |
For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.”
Liberty User Profile: If you have a Liberty attribute that is a role, select the attribute from the list.
Data Extension: If you have created a data extension that calculates a set of roles, select the extension. For information about creating such an extension, see Access Manager SDK Sample Code.
If the source contains multiple values, select the format that is used to separate the values.
If the value is a distinguished name, select the format of the DN.
Figure 6-3 shows how to assign an LDAP Group, cn=DocGroup,o=novell, as a role.
Figure 6-3 Activating a Role from an External Source
To use the same conditions to activate multiple roles from different sources, select Activate Selected Role for each role you want to activate.