Symantec Access Management

Hello All,

I am looking to implement a solution in which there are 2 policy created with the set of user group used to authenticate for ex:-

Policy 1   ->Has-> User Group 1

Policy 2   ->Has-> User Group 2

There are number of users present in User Group 1 and User Group 2 and some users are overlapping between the 2 user group i.e present in both of them.

I need to implement a solution in which if a user that is present in user group 1 as well as user group 2 then for that user Policy 1 should be triggered and not Policy 2. How can we set this priority ? How siteminder determines which policy to go to for Authentication?

Ankur Ankur-Taneja

SiteMinder never uses Policy for Authentication. Policy is only used for Authorization.

So I am assuming the final solution would look like this.

Policy-1 -> Has -> User isMemberOf(Group1).

Policy-2 -> Has -> User isMemberOf(Group2)..

Policy-3 -> Has -> User isMemberOf(Group1 && Group2).

Note : All 3 Policy would have the "same" GET, POST, PUT Rule in it.

Some tips to try

1. Option-1 : If we are using Policy Domain Model, It may be as simple as the USECASE described below.
2. Option-2 : If we are using the Policy Domain Model, we could try using VARIABLES and EXPRESSION. Then use them in Policy.
3. Option-3 : The last Alternative would be to use an Add-on module called SMWALKER from CA Global Delivery (separate license and support SLA). SMWALKER can fit as an Active Policy Wedge into the SiteMinder Policy layer. It is a very good module which should be able to fulfill this requirement. We could download it from CA Support Site for a 30 day trial; for trying out the solution.

Having said the above, I ran a quick sanity check on your last query "How siteminder determines which policy to go to for?". I wasn't able to get a definitive why. However my findings showed me that BOTH policies fired and responses from both policies were returned. I had different set of responses attached to Policy1 and Policy2; however the same GET,POST,PUT rule. I would have assumed, the best match policy to be applicable. However that did not happen, instead both policy was applied. So my question back to you, assume this is as per design (that all applicable policies fire, rather than best evaluated); does it hamper your requirement / end goal?

USECASE

Policy-1 -> User belongs to Group0 -> RuleA -> Response1.

Policy-2 -> User's cn matches HUBERT -> RuleB -> Response2.

NOTE : Two User's HUBERT and JOE, both belong to Group0.

Login as Joe : Only response1 should fire : Matches expected Result.

Login as Hubert : Only response2 should fire : Did not match or may be it is as per design : Both policy fire and both responses are returned. See below.

[08/22/2015][23:04:33.794][IsAuthorized.cpp:688][CSm_Az_Message::IsAuthorized][][Authorizing user...][][wa_smtest][][HUBERT][][pd_application1_realm][pd_application1][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1409][CSmAz::IsOk][][Enter function CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1447][CSmAz::IsOk][][Start of user policy analysis for realm.][][][][HUBERT][][pd_application1_realm][pd_application1][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1545][CSmAz::IsOk][][Check the Policy.][][][][][][][pd_application1][][pd_application1_acceptPolicy][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1588][CSmAz::IsOk][][Check the Rule][][][][][][][pd_application1][][][pd_application1_rule][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:666][CSmAz::TestRule][][Enter function CSmAz::TestRule][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:771][CSmAz::TestRule][][Leave function CSmAz::TestRule][][][][][][][][][][][][][][true][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:778][CSmAz::TestPolicy][][Enter function CSmAz::TestPolicy][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:797][CSmAz::TestPolicy][][Evaluating policy...][][][][][][][pd_application1][][pd_application1_acceptPolicy][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1214][CSmAz::TestPolicy][][Leave function CSmAz::TestPolicy][][][][][][][][][][][][][][true][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1748][CSmAz::IsOk][][Policy is applicable. Rule is applicable. Get Responses.][][][][][][][pd_application1][][pd_application1_acceptPolicy][pd_application1_rule][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1545][CSmAz::IsOk][][Check the Policy.][][][][][][][pd_application1][][pd_application1_policy_hubertAccessOnly][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1588][CSmAz::IsOk][][Check the Rule][][][][][][][pd_application1][][][pd_application1_rule][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:666][CSmAz::TestRule][][Enter function CSmAz::TestRule][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:771][CSmAz::TestRule][][Leave function CSmAz::TestRule][][][][][][][][][][][][][][true][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:778][CSmAz::TestPolicy][][Enter function CSmAz::TestPolicy][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:797][CSmAz::TestPolicy][][Evaluating policy...][][][][][][][pd_application1][][pd_application1_policy_hubertAccessOnly][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmDsUser.cpp:890][CSmDsUser::ResolvePolicyObject][][Enter function CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmDsObj.cpp:94][CSmDsObj::IsValid][][Start of call IsValid.][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmDsObj.cpp:96][CSmDsObj::IsValid][][Return from call IsValid.][][][][][][][][][][][][][][true][][][][][][][][][]

[08/22/2015][23:04:33.794][SmDsUser.cpp:898][CSmDsUser::ResolvePolicyObject][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'cn=HUBERT,ou=OrgUnit0,dc=ca,dc=com', filter: '(cn=HUBERT)', type: 3, recursive: No][][][]

[08/22/2015][23:04:33.794][SmDsLdapProvider.cpp:2549][CSmDsLdapProvider::SearchCount][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=HUBERT,ou=OrgUnit0,dc=ca,dc=com', Filter: '(cn=HUBERT)'. Status: 1 entries][][][]

[08/22/2015][23:04:33.794][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][Return from call HasRelationship.][][][][][][][][][][][][][][1][][][][][][][][][]

[08/22/2015][23:04:33.794][SmDsUser.cpp:914][CSmDsUser::ResolvePolicyObject][][Leave function CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1214][CSmAz::TestPolicy][][Leave function CSmAz::TestPolicy][][][][][][][][][][][][][][true][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1748][CSmAz::IsOk][][Policy is applicable. Rule is applicable. Get Responses.][][][][][][][pd_application1][][pd_application1_policy_hubertAccessOnly][pd_application1_rule][][][][][][][][][][][][][]

[08/22/2015][23:04:33.794][SmAuthorization.cpp:1935][CSmAz::Process_Response_List][][Enter function CSmAz::Process_Response_List][][][][][][][][][][][][][][][][][][][][][][][]

Regards

Hubert

Hi Ankur-Taneja,

• User Policies doesn't have an option to specify a priority.
• All Policies will be evaluated every time to see if it is applicable for the currently logged in user and for the particular requested resource.
• All Policies which matches the condition (rules & user) will get executed. There is no option to NOT execute Policy 2 if Policy 1 is already executed.

So unfortunately, we currently don't have an option to satisfy your use case with OOTB SiteMinder configuration.

Cheers,

Ujwol Shrestha

Hi ankur.taneja,

Does our previous response clarify your concern here ?

Do  you need any further clarificaiton/assistance on this ?

Cheers,

Ujwol