Symantec Access Management

How does the FSS Admin UI and WAMUI pull this off without having to add anything to the SiteMinder registry?

Can I add an LDAP group to the Policy instead of adding every user individually?

Unclear what you mean by pulling off

The registry contains information on how siteminder can view objects, it uses standard schema or most common objectclasses to finding users, groups and OU's in most cases no editing of registry is required 

If you have a completely customized schema you may need to edit the registry to see and find these objects in Admin.

Example of where to add them:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\OrgClassFilters

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters

In the Admin UI, when specifying Authorized Users in a Policy, the world "All" can be used to authorize all authenticated users.  Using the SiteMinder Policy Management API (Netegrity::PolicyMgtAPI module in perl), there isn't anything documented that states how to programatically achieve the same functionality of authorizing all authenticated users.

I created a script to print out the configuration of a Policy that allows "All" users.  It looks like the query that is executed when All is specified is (ObjectClass=*)