Ankur Ankur-Taneja
SiteMinder never uses Policy for Authentication. Policy is only used for Authorization.
So I am assuming the final solution would look like this.
Policy-1 -> Has -> User isMemberOf(Group1).
Policy-2 -> Has -> User isMemberOf(Group2)..
Policy-3 -> Has -> User isMemberOf(Group1 && Group2).
Note : All 3 Policy would have the "same" GET, POST, PUT Rule in it.
Some tips to try
- Option-1 : If we are using Policy Domain Model, It may be as simple as the USECASE described below.
- Option-2 : If we are using the Policy Domain Model, we could try using VARIABLES and EXPRESSION. Then use them in Policy.
- Option-3 : The last Alternative would be to use an Add-on module called SMWALKER from CA Global Delivery (separate license and support SLA). SMWALKER can fit as an Active Policy Wedge into the SiteMinder Policy layer. It is a very good module which should be able to fulfill this requirement. We could download it from CA Support Site for a 30 day trial; for trying out the solution.
Having said the above, I ran a quick sanity check on your last query "How siteminder determines which policy to go to for?". I wasn't able to get a definitive why. However my findings showed me that BOTH policies fired and responses from both policies were returned. I had different set of responses attached to Policy1 and Policy2; however the same GET,POST,PUT rule. I would have assumed, the best match policy to be applicable. However that did not happen, instead both policy was applied. So my question back to you, assume this is as per design (that all applicable policies fire, rather than best evaluated); does it hamper your requirement / end goal?
USECASE
Policy-1 -> User belongs to Group0 -> RuleA -> Response1.
Policy-2 -> User's cn matches HUBERT -> RuleB -> Response2.
NOTE : Two User's HUBERT and JOE, both belong to Group0.
Login as Joe : Only response1 should fire : Matches expected Result.
Login as Hubert : Only response2 should fire : Did not match or may be it is as per design : Both policy fire and both responses are returned. See below.
[08/22/2015][23:04:33.794][IsAuthorized.cpp:688][CSm_Az_Message::IsAuthorized][][Authorizing user...][][wa_smtest][][HUBERT][][pd_application1_realm][pd_application1][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1409][CSmAz::IsOk][][Enter function CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1447][CSmAz::IsOk][][Start of user policy analysis for realm.][][][][HUBERT][][pd_application1_realm][pd_application1][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1545][CSmAz::IsOk][][Check the Policy.][][][][][][][pd_application1][][pd_application1_acceptPolicy][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1588][CSmAz::IsOk][][Check the Rule][][][][][][][pd_application1][][][pd_application1_rule][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:666][CSmAz::TestRule][][Enter function CSmAz::TestRule][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:771][CSmAz::TestRule][][Leave function CSmAz::TestRule][][][][][][][][][][][][][][true][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:778][CSmAz::TestPolicy][][Enter function CSmAz::TestPolicy][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:797][CSmAz::TestPolicy][][Evaluating policy...][][][][][][][pd_application1][][pd_application1_acceptPolicy][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1214][CSmAz::TestPolicy][][Leave function CSmAz::TestPolicy][][][][][][][][][][][][][][true][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1748][CSmAz::IsOk][][Policy is applicable. Rule is applicable. Get Responses.][][][][][][][pd_application1][][pd_application1_acceptPolicy][pd_application1_rule][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1545][CSmAz::IsOk][][Check the Policy.][][][][][][][pd_application1][][pd_application1_policy_hubertAccessOnly][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1588][CSmAz::IsOk][][Check the Rule][][][][][][][pd_application1][][][pd_application1_rule][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:666][CSmAz::TestRule][][Enter function CSmAz::TestRule][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:771][CSmAz::TestRule][][Leave function CSmAz::TestRule][][][][][][][][][][][][][][true][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:778][CSmAz::TestPolicy][][Enter function CSmAz::TestPolicy][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:797][CSmAz::TestPolicy][][Evaluating policy...][][][][][][][pd_application1][][pd_application1_policy_hubertAccessOnly][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmDsUser.cpp:890][CSmDsUser::ResolvePolicyObject][][Enter function CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmDsObj.cpp:94][CSmDsObj::IsValid][][Start of call IsValid.][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmDsObj.cpp:96][CSmDsObj::IsValid][][Return from call IsValid.][][][][][][][][][][][][][][true][][][][][][][][][]
[08/22/2015][23:04:33.794][SmDsUser.cpp:898][CSmDsUser::ResolvePolicyObject][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'cn=HUBERT,ou=OrgUnit0,dc=ca,dc=com', filter: '(cn=HUBERT)', type: 3, recursive: No][][][]
[08/22/2015][23:04:33.794][SmDsLdapProvider.cpp:2549][CSmDsLdapProvider::SearchCount][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=HUBERT,ou=OrgUnit0,dc=ca,dc=com', Filter: '(cn=HUBERT)'. Status: 1 entries][][][]
[08/22/2015][23:04:33.794][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][Return from call HasRelationship.][][][][][][][][][][][][][][1][][][][][][][][][]
[08/22/2015][23:04:33.794][SmDsUser.cpp:914][CSmDsUser::ResolvePolicyObject][][Leave function CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1214][CSmAz::TestPolicy][][Leave function CSmAz::TestPolicy][][][][][][][][][][][][][][true][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1748][CSmAz::IsOk][][Policy is applicable. Rule is applicable. Get Responses.][][][][][][][pd_application1][][pd_application1_policy_hubertAccessOnly][pd_application1_rule][][][][][][][][][][][][][]
[08/22/2015][23:04:33.794][SmAuthorization.cpp:1935][CSmAz::Process_Response_List][][Enter function CSmAz::Process_Response_List][][][][][][][][][][][][][][][][][][][][][][][]
Regards
Hubert