Symantec Access Management

  • 1.  PERL API - how to get the respones of a rule within a policy

    Posted Aug 01, 2016 05:21 AM

    in the CA SSO Policy Server Perl API there is a method to set the response for a rule within a specific policy.

     

    If I want to read the responses from a specific policy within a specific domain, how can I do this?

     

    code snippet:

    ...

    @policies = $d->GetAllPolicies();

            foreach $policy (@policies) {

                    print "  POLICY  : " . $policy->Name() . " DESC: " . $policy->Description() . "\n";

                    @rules = $policy->GetAllRules();

                    foreach $rule (@rules) {

                            print "    RULE  : " . $rule->Name() . " DESC: " . $rule->Description() . "\n";

                             # missing HOW TO DISPLAY THE ASSOCIATED RESPONSES OF THAT RULE HERE

                    }

            }

    ...



  • 2.  Re: PERL API - how to get the respones of a rule within a policy

    Broadcom Employee
    Posted Aug 01, 2016 12:57 PM

    CDemuth,
    I built this off the sample domains and realms perl script provided OOTB adding some additional methods for the response values and displaying this in a text file. You will need to change the connection information for your policy server.

    use warnings;

     

    use Netegrity::PolicyMgtAPI;

    my @resources;

    $destFile="DomainsRealms.txt";

    open(DEST,">".$destFile) || die "Open file error: $!";

    print DEST "Domains and Domain Realms for your domain.\n";

    print DEST "Printed " . scalar(localtime)."";

    $policyapi = Netegrity::PolicyMgtAPI->New();

    $session = $policyapi->CreateSession("siteminder", "*PW*");

    @domains=$session->GetAllDomains();

     

    foreach $domain(@domains) {

       print DEST "\n\nDomain " . $domain->Name() . ":";

            @userDirs=$domain->GetUserDirSearchOrder();

            @policies=$domain->GetAllPolicies();

            foreach $userDir(@userDirs) {

            print DEST "\n Domain Directories are: " . $userDir->Name();

            foreach $policy(@policies) {

            print DEST "\n Domain Policies are: " . $policy->Name();

       @realms=$domain->GetAllRealms();

       foreach $realm(@realms) {

     

          print DEST "\n  Realm " . $realm->Name();

     

            print DEST "\n Realm Description " . $realm->Description();

            print DEST "\n Resource filter is " . $realm->ResourceFilter();

     

            @rules=$realm->GetAllRules();

                    foreach $rule(@rules) {

            print DEST "\n Rules Name is " . $rule->Name();

            print DEST "\n Rule Action is " . $rule->Action();

    #       print DEST "\n Rule Description is " . $rule->Description();

     

            @responses=$domain->GetAllResponses();

                    foreach $response(@responses) {

                    print DEST "\n Response is " . $response->Name();

                          }

                      }

                  }

              }

        }

    }

    print "\nDomain and realm report written to " . $destFile."\n";



  • 3.  Re: PERL API - how to get the respones of a rule within a policy

    Posted Aug 02, 2016 02:46 AM

    Hi rusad02,

     

    thanks for your response! My PERL code also got that far, but as you know there are policies within a SiteMinder domain and inside of these policies there are rules bound to responses. When you code:

     

    @responses=$domain->GetAllResponses()

     

    then you will (as it says) get ALL responses of a domain - and not their relationships to policies and rules, and not if they are used at all.

     

    Cheers,

    Christian



  • 4.  Re: PERL API - how to get the respones of a rule within a policy

    Broadcom Employee
    Posted Aug 02, 2016 08:27 AM

    CDemuth,

     

    Did you load the code that I had given in the chat? When I run this I get my Domains listed individually with the policy, the realm, the rule and the response to the rule listed.

     

    Please see this screen shot for a view of what I mean:

    Screen Shot 2016-08-02 at 8.24.16 AM.png



  • 5.  Re: PERL API - how to get the respones of a rule within a policy

    Posted Aug 03, 2016 08:50 AM

    No that script doesnt work, sorry. It lists ALL responses for EVERY policy within a domain, which in our case is not correct:

    ...

    Realm SAP:/sap

    Realm Description

    Resource filter is /sap

    Rules Name is SAP:/sap

    Rule Action is Get,Post,Put

    Response is SAP

    Response is 6AA

    Response is PWM

    Response is 1MA

    Response is 6WA

    Response is PAS

    Response is INM

    Response is SPV

    Response is PWS

    Response is SBA

    Response is BIB

    Response is 6AI

    Response is BM_

    Response is PHC

    Response is HIA

      Realm CUSTOM:BM_:/bm_

    Realm Description BM0, BM1

    Resource filter is /bm_

    Rules Name is BM_:/bm_

    Rule Action is Get,Post,Put

    Response is SAP

    Response is 6AA

    Response is PWM

    Response is 1MA

    Response is 6WA

    Response is PAS

    Response is INM

    Response is SPV

    Response is PWS

    Response is SBA

    Response is BIB

    Response is 6AI

    Response is BM_

    Response is PHC

    Response is HIA

    ...

    The Realm SAP only has 1 response - wickedly named SAP. BM_ has one response called BM_, etc. I strongly believe that the PERL API is incomplete here, as there is no mechanism to READ the responese per rule per domain, but there is a mechanism to WRITE it.

     

    regards,

    Christian



  • 6.  Re: PERL API - how to get the respones of a rule within a policy
    Best Answer

    Posted Aug 03, 2016 08:22 PM

    Hi Christian Demuth,

     

    Unfortunately, there is no PERL API to get the response/response group tied to a specific rule under a Policy.

     

    There is a SetResponse() method , but not the corresponding GetResponse()

    SetResponse Method Sets the Response for a Configured Rule in the Policy

     

    I would suggest to create an "Idea" for this enhancement request.

    If you are okay with using JAVA sdk, then it already has this capability :

    CA SiteMinder SDK r12.52sp1

    SmPolicyLink.getResponse()

     

    Java SDK is much more feature rich compared to Perl API at the moment.

     

    Cheers,

    Ujwol Shrestha