Symantec Access Management

  • Private Community

  • 1.  How are Policies applied to Sub-Realms?

    Posted Jun 01, 2017 12:30 PM

    Hello,

     

    I currently have a Realm tied to a policy

    mydomain.com/realm1    ----> tied to Policy 1

    I then made a sub-realm

    mydomain.com/realm1/subrealm1   ---> the sub realm is tied to Policy 2

     

    When a user goes to "mydomain.com/realm1/subrealm1", do they have to qualify for both Policy 1 and Policy 2? 

     

    Or will only the Policy 2 check be run?  What I want is for only Policy 2 to be checked, but I don't think that is happening.  I want a group of users to have access to just the sub-realm and NOT the parent realm. 

     

    Is that possible?

     

    thanks



  • 2.  Re: How are Policies applied to Sub-Realms?
    Best Answer

    Posted Jun 02, 2017 03:42 AM

    Hi Phillips,

     

    That's right. 

     

    For the nested realm, the user need to qualify policy tied to all the parent realm as well beside it's own realm.

     

    Let's illustrate this a bit further.

    So your use case is :

     

    Realm 1 : /parent/ ,

    Policy : Allow user : user1

     

    Sub Realm : /parent/child/

    Policy : Allow user : user 2

     

    Here, user2 will NOT be authorized for the sub realm as it is NOT authorized for the parent realm which will be checked first.

     

    However, you can achieve this by having two independent realm like this :

     

    Realm 1 : /parent/ ,

    Policy : Allow user : user1

     

    Realm2 : /parent/child/

    Policy : Allow user : user 2

     

    In this case, Policy server will match the realm with the more specific resource filter, as such it will evaluate only Realm 2 and the user2 will be authorized for the /parent/child/ resource.

     

    Hope this helps.

     

    Regards,

    Ujwol



  • 3.  Re: How are Policies applied to Sub-Realms?

    Posted Jun 02, 2017 10:59 AM

    Thank you, answered my question!