Configure Access Roles

Access roles enable centralized management of user privileges in external applications that CA SSO has secured. administrators can create and assign roles in the User Console that determine access to users to applications outside of . For example, a Role Administrator may create roles in the User Console that control access to a finance application and may grant the ability to assign the roles to the Help Desk administrator. The Help Desk administrator can assign or revoke that role through the User Console.
cim140
Access roles enable centralized management of user privileges in external applications that CA SSO has secured. 
Identity Manager
 administrators can create and assign roles in the 
Identity Manager
 User Console that determine access to users to applications outside of 
Identity Manager
. For example, a Role Administrator may create roles in the User Console that control access to a finance application and may grant the ability to assign the roles to the Help Desk administrator. The Help Desk administrator can assign or revoke that role through the User Console.
This page contains the following topics:
 
 
 
Access roles are enabled through integration with CA SSO. CA SSO associates roles with policies to determine which users can access a protected resource and to deliver user-specific roles and task information to protected resources.
Access roles require configuration in 
Identity Manager
 and CA SSO. Two administrators are involved:
  • The 
    Identity Manager
     administrator creates access roles and tasks in 
    Identity Manager
    . The default System Manager and Access Role Manager roles include these tasks.
  • The CA SSO administrator manages System and Domain objects in CA CA SSO. The CA SSO administrator must have System scope.
     
    Note:
     For more information, see .
The following procedure outlines the steps to create an access role. Review these steps 
before
 configuring access roles for use with CA SSO.
  1. Identity Manager
     administrator completes the following tasks:
    1. Enables access roles and tasks for use with CA SSO.
    2. Creates access tasks.
    3. Creates an access role.
    4. Communicates role and task information to the CA SSO administrator for creating CA SSO role-based access control policies.
  2. The CA SSO administrator creates a role-based access control policy by completing the following steps:
    1. Assigning a user directory that is associated with one or more 
      Identity Manager
       environments to a Policy Domain.
    2. Associating one or more 
      Identity Manager
       environments with the Policy Domain in step 1.
    3. Creating realms and rules in the Policy Domain (if they do not exist). The realms and rules must correspond to the resources to which the access roles grants access.
    4. Creating policies and binding them to roles from the 
      Identity Manager
       environment.
    5. (optional) Specifying responses which deliver entitlement information to the protected resources.
     
    Note:
     For more information, see .
Enable Access Roles for Use with CA SSO
To use access roles with CA SSO, 
Identity Manager
 mirrors all objects in the 
Identity Manager
 object store that are related to the access roles in the CA SSO policy store. To enable access roles for use with CA SSO, configure a property in the 
Identity Manager
 Management Console.
 
Follow these steps:
 
  1. Open the Management Console.
  2. Select 
    Environment
    Your Environment
    Advanced Settings
    Miscellaneous
    .
  3. Add a property by providing the following information:
    • In the 
      Property
       field, enter the following text:
      EnableSMRBAC
    • In the 
      Value
       field, enter the following text:
      true
  4. Click 
    Add
    . Then, click 
    Save
    .
    A message appears indicating that the environment to restart.
  5. Click Restart Environment.
    Identity Manager
     now supports access roles and tasks for use with CA CA SSO.
Once you enable access roles for use with CA SSO, note the following points:
  • If you used access roles in 
    Identity Manager
     r8x, perform an extra migration step to manage those access roles in the current version of 
    Identity Manager
    . For more information, see the 
     Upgrade documentation.
     
  • To disable support for access roles in CA SSO, delete the 
    Identity Manager
     access role and task objects from the CA SSO policy store. Then, remove the 
    EnableSMRBAC
     Property from the Miscellaneous Properties list and restart the environment.
Add Access Task to Admin Role
By default, the Access tasks tasks do not appear under Roles and Tasks tab. You need to add the Access tasks to Admin role of the logged in user.
 
Follow these steps:
 
  1. Log in to a 
    Identity Manager
     account with a role that includes a task for creating access roles.
  2. Click 
    Roles
     and 
    Tasks
    Modify Admin Role
    .
  3. Select the Admin role of logged in user.
  4. Click 
    Tasks
     tab, 
    Filter by Category
     field, Select 
    Roles
     and 
    Tasks
     from the drop-down.
  5. Select 
    Create Access Task
     from Add 
    Task
     dropdown.
  6. Click 
    Submit
    .
Create an Access Task
An access task is a single action that a user can perform in a business application, such as generating a purchase order in a finance application. Users can perform that action when they are assigned an access role that includes the access task.
 To create an Access task, you need to add the Access tasks to Admin role of the logged in user.
 
Follow these steps:
 
  1. Select 
    Roles and Tasks
    Access Tasks
    Create Access Task
    .
  2. Select one of the following options:
    • Create an access task
    • Create a copy of an access task.
  3. Complete these fields:
    •  
      Name
      A unique name that you can assign to the task, such as Generate Purchase Order.
    •  
      Tag
      A unique tag for the task. The tag must start with a letter or an underscore character containing letters, numbers, or underscores only.
    •  
      Description
      An optional note about the purpose of the task.
    •  
      Application ID
      An identifier for an application such as the application name associated with the task. The application ID cannot contain any spaces or nonalphanumeric characters.
      Make note of this ID; you need it when you enable the role in CA SSO.
  4. To complete the access task, click 
    Submit
    .
Create an Access Role
An access role contains access tasks, which provide access to functions in an application. For example, a role may contain tasks that enable role members to place an order in a purchasing application and update quantities in an inventory control application.
You complete the following steps to create an access role:
Begin Access Role Creation
 
Follow these steps:
 
  1. Log in to a 
    Identity Manager
     account with a role that includes a task for creating access roles.
  2. Click 
    Access Roles
    Create Access Role
    .
    Choose the option to create a role or a copy of role. If you select 
    Copy
    , search for the role.
  3. Continue with next section, Define the Profile of an Access Role.
Define the Profile of an Access Role
 
Follow these steps:
 
  1. Enter a name, description, and complete any custom attributes defined for the role.
     
    Note:
     You can specify custom attributes on the Profile tab that specify additional information about access roles. You can use this additional information to facilitate role searches in environments that include a significant number of roles.
  2. Select Enabled if you are ready to make the role available for use when you create it.
  3. Continue with the next section, Define Member Policies for an Access Role.
Select Access Tasks for the Role
On the Tasks tab:
  1. Select the tasks to include in this role. First, select the applications, then the task. You can include tasks from different applications:
    Note:
     If another role has the tasks you need, click 
    Copy Tasks
     from another role. You can edit the list that appears.
    In creating a role or task, you see icons for adding, editing, and removing items: 
    1. Go forward or select the current item to view or edit it.
    2. If JavaScript is disabled, press the forward button to select from a drop-down list.
    3. Go back or undo a previous selection.
    4. Insert an element, such as a task or rule.
    5. Delete the current task or, in a rule, the expression that follows.
    6. Move up the current item in the list.
    7. Move the current item down in the list.
  2. Continue with the next section, Define Admin Policies for an Access Role.
Define Member Policies for an Access Role
A member policy defines a member rule and scope rules for a role. You can define several member policies for one role. For each policy, users who meet the condition in the member rule has the scope for using the role that is defined in the policy.
 
Follow these steps:
 
  1. Select the 
    Members
     tab.
  2. Select 
    Add
     to define the member policies.
  3. (Optional) On the 
    Member Policy
     page, optionally define a member rule who must be able to use this role.
    Defining a member rule automatically assigns the role to users who match the criteria in the member policy.
     Define member policies that use only directory attributes, for example: title=Manager. If you define member policies referencing to those objects not stored in the user directory such as admin roles, CA SSO cannot resolve the reference.
  4. Verify that the Member Policy appears on the Members tab.
    To edit a policy, click the arrow symbol on the left. To remove it, click the minus sign icon.
  5. On the 
    Members
     tab, enable the 
    Administrators can add and remove members of this role
     check box.
    Once you enable this feature, you define the Add Action and Remove Action. These actions define what happens when a user is added or removed as a member of the role.
Define Admin Policies for an Access Role
An admin policy defines admin rules, scope rules, and administrator privileges for a role. You can define several admin policies for a role.  
 
Follow these steps:
 
  1. Select the 
    Administrators
     tab for the access role.
  2. If you want to make the Manage Administrators option available, enable the 
    Administrators can add and remove administrators of this role
     check box.
    Once you enable this feature, define the actions for when a user is added or removed as an administrator of the role.
  3. On the 
    Administrators
     tab, add admin policies that include admin and scope rules and administrator privileges. Each policy needs at least one privilege (Manage Members or Manage Administrators).
    You can add several admin policies with different rules and different privileges for administrators who meet the rule.
    Note:
     Define admin policies that use only directory attributes, for example: title=Manager. If you define member policies referencing to those objects not stored in the user directory such as admin roles, CA SSO cannot resolve the reference.
  4. To edit a policy, click the arrow symbol on the left. To remove it, click the minus sign icon.
  5. Continue with the next section, Define Owner Rules for an Access Role.
Define Owner Rules for an Access Role
An owner rule defines who can modify a role. You can define several owner rules for a role.
 
Follow these steps:
 
  1. Select the 
    Owners
     tab for the access role.
  2. Define owner rules, which determine which users can modify the role.
    Note:
     Define owner rules that use only directory attributes, for example: title=Manager. If you define owner rules referencing to those objects not stored in the user directory such as admin roles, CA SSO cannot resolve the reference.
  3. Click 
    Submit
    .
    A message appears to indicate that the task has been submitted. A momentary delay may occur before a user can use the role.
Access Roles in CA SSO
To configure roles-based access control to protect resources, the CA SSO administrator associates a 
Identity Manager
 environment with a Policy Domain in the Policy Server User Interface. The administrator creates a policy to protect an application and associates a role or roles with that policy. Users who have an associated role can access the protected application.
A CA SSO administrator binds roles to security policies that define how users interact with resources. Policies link with the following objects:
  •  
    Users and User Groups: 
    Identify a set of policy affected users.
  •  
    Roles: 
    Identify users who have been assigned a set of privileges in 
    Identity Manager
    .
  •  
    Rules: 
    Identify a resource and actions that are allowed or denied for the resource. The resource is typically a URL, application, or script.
  •  
    Responses: 
    Determine a reaction to a rule. When a rule fires, responses are returned to the CA SSO Agent.
    Identity Manager
     uses CA SSO responses to deliver specific task and role information to a protected resource.
You can bind CA SSO policies to users, or to roles, or to users 
and
 roles. Assume that a user or role member attempts to access a protected resource. CA SSO uses information in the policy to determine whether to grant access, and to trigger responses.
The following figure illustrates the relationship of policy objects in a role-based policy.
The image illustrates the relationship of policy objects in a role-based policy.
The image illustrates the relationship of policy objects in a role-based policy.
CA SSO policies are created in policy domains, which logically tie user directories to protected resources. The following figure illustrates the relationship of policy objects in a role-based policy.
To supply user entitlements to a protected application, the CA SSO administrator pairs a rule with the policy of an application with a response. The response contains a CA SSO generated response attribute that retrieves entitlement information from 
Identity Manager
.
The image shows the relationship of policy objects in a role-based policy.
The image shows the relationship of policy objects in a role-based policy.
When CA SSO authorizes a role member for a protected resource, the following events take place:
  1. The rule of a policy executes in CA SSO, triggering the paired response.
  2. The Policy Server obtains entitlement information from 
    Identity Manager
     to include in a response.
  3. The Policy Server passes the response attribute to the Web Agent.
  4. The Web Agent makes the entitlement information available to the application as an HTTP header variable or a cookie.
CA SSO Generated Response Attributes
 
Identity Manager
 passes entitlement information to applications through CA SSO Web Agent responses. These responses contain HTTP header variables in response attributes, which the application can use to determine access privileges of a user. Responses are included in CA SSO policies, which determine how users interact with a protected resource.
CA SSO administrators can configure a response that includes two types of response attributes to pass information to an application:
  • SM_USER_APPLICATION_ROLES[:
    application id
    ]: Returns a list of roles that are assigned to a user.
  • SM_USER_APPLICATION_TASKS[:
    application id
    ]: Returns a list of tasks a user can perform based on roles that are assigned.
The application ID limits the requested set of roles and tasks to a specific application. For example, if you create the following response attribute:
SM_USER_APPLICATION_ROLES:Finance_application
CA SSO returns the roles that have tasks in the Finance application to the Web Agent, which then passes the information to the Finance application.
 
Note:
 The 
application id
 you supply must match an��
application id
 you supplied when you used Create Access Task in 
Identity Manager
. If the task is not yet created, you can choose any name for the application ID but it cannot contain any spaces or non-alphanumeric characters.
You can specify multiple application IDs in a comma-delimited list to return the set of roles and tasks from multiple applications in a single response attribute. For example, to return the list of roles that a user has in the Finance and Purchasing applications specify in the following way:
SM_USER_APPLICATION_ROLES:Finance, Purchasing
How to Enable Access Roles in CA SSO
The following steps assume that CA SSO already protects the application to which the access role grants access. For instance, assume that you are creating an access role for an application that CA SSO does not protect yet. In such case, see the Policy Server Configuration documentation.
 
Note:
 To configure access roles in CA SSO, use the Policy Server User Interface, an applet - based application, instead of the CA SSO Administrative UI. In CA SSO 12, this applet is named as CA SSO Federation Security Services Administrative UI (FSS Administrative UI). You can install the FSS Administrative UI using the Policy Server installer. 
To enable access roles in CA SSO, complete the following high-level steps:
  1. In the Policy Domain, create realms and rules (if they do not exist) corresponding to the resources to which the access role grants access.
  2.  Create a response to pass entitlement information to the resource.
  3. Create a policy and associate it with the following objects:
    • The realms and rules you created in step 2.
    • The responses that are created in step 3.
    Note: For information about creating policies, see the Policy Server Configuration documentation.
Add 
Identity Manager
 Environments to a Policy Domain
To enable CA SSO to support access roles, you associate a 
Identity Manager
 environment with a user directory and a policy domain in CA SSO.
 
Note:
 Add the user store that is associated with the 
Identity Manager
 environment to the policy domain 
before
 you can add the 
Identity Manager
 environment to the policy domain.
 
Follow these steps:
 
  1. In the Policy Domain dialog in the Policy Server User Interface, add the user store that is associated with the 
    Identity Manager
     environment with a policy domain as follows:
    1. Select the 
      User Directories
       tab.
    2. From the drop-down list box at the bottom of the tab, select the user directory to include in the policy domain.
    3. Click the 
      Add
       button.
      The Policy Server User Interface adds the directory to the list displayed in the User Directories tab.
    4. Click 
      Apply
      .
  2. Add the 
    Identity Manager
     environment to the policy domain as follows:
    1. Select the 
      Identity Manager
       Environments tab.
    2. Select the 
      Identity Manager
       Environment that you want to associate with the policy domain from the drop-down list, at the bottom of the tab.
    3. Click 
      Add
      .
      The Policy Server User Interface adds your selection to the list of 
      Identity Manager
       environments at the top of the tab.
  3. Click 
    OK
     to save your selections and close the dialog.
    The 
    Identity Manager
     environments that you selected are available when you create policies.
Create a CA SSO Response
 
Follow these steps:
 
  1. Log in to the Policy Server User Interface.
  2. Depending on your administrative privileges, do one of the following tasks:
    • If you have the Manage System and Domain Objects privilege:
      1. In the Object pane, click the 
        Domains
         tab.
      2. Select the policy domain to which you want to add a response.
    • If you have the Manage Domain Objects privilege, select the policy domain to add a response in the Object pane.
  3. From the menu bar, select 
    Edit
    <domain name>
    Create Response
    .
    The CA SSO Response dialog opens (see Response Dialog).
  4. Enter a name and description for the new response.
  5. In the 
    Agent Type group
     box, select the 
    CA SSO
     radio button.
  6. Select the Web Agent option from the drop-down list in the 
    Agent Type group
     box and click 
    Apply
     to save your changes.
  7. Click 
    Create
    .
    The CA SSO Response Attribute Editor dialog opens.
  8. From the Attribute drop-down list, select the 
    WebAgent-HTTP-Header-Variable response
     attribute.
  9. In the 
    Attribute Setup
     tab, select the 
    User Attribute
     radio button.
  10. In the 
    Variable
     field, enter the name of the variable that passes to the application.
    For example, if you specify the variable TASKS, the following header is returned to the application:
    HTTP_TASKS
  11. In the 
    Attribute Name
     field, specify the response attribute as follows:
    • SM_USER_APPLICATION_ROLES[:
      application id1, application_id2, ...application_idn
      ]--Returns a list of roles that are assigned to a user.
    • SM_USER_APPLICATION_TASKS[:
      application id1, application_id2, ...application_idn
      ]
    SiteMinder-Generated Response Attributes provide more information.
  12. Click 
    OK
     to save your changes and return to the CA SSO Administration window.
Add Roles to the CA SSO Policy
When a user is assigned to an appropriate access role accessing a protected resource, the CA SSO Policy Server verifies access roles assignment to the user. Upon verification, it fires the rules included in the policy to check whether the user is allowed to access the resource or not.
 
Follow these steps:
 
  1. In the CA SSO Policy dialog, click the 
    Users
     tab.
    The Users tab contains tabs for each user directory and 
    Identity Manager
     environment included in the policy domain.
  2. Select the 
    Identity Manager
     environment that contains the roles you want to add to the policy.
  3. Click the 
    Add/Remove
     button.
    The CA SSO Policy 
    Identity Manager
     Role dialog opens.
  4. To add roles to the policy, select an entry from the 
    Available Members
     list and move it to the Current Members list.
  5. Click 
    OK
     to save your changes and return to the CA SSO Policy dialog.
Exclude Roles in a Policy
In addition to using access roles to grant access to applications, you can also use access roles to prevent members of access roles from accessing an application. To prevent access role members from accessing an application, you exclude the roles from CA SSO policies. When a user who has been assigned the excluded access role in 
Identity Manager
 tries to access a protected resource, the Policy Server verifies exclusion of the 
Identity Manager
 role to the assigned user. Upon verification, it blocks access to the resource.
 
Follow these steps:
 
  1. In the CA SSO Policy dialog, click the 
    Users
     tab.
    The Users tab contains tabs for each user directory and 
    Identity Manager
     environment included in the policy domain.
  2. Click the 
    Identity Manager
     environment that contains the roles you want to exclude from your policy.
  3. Click the Add/Remove button.
    The CA SSO Policy 
    Identity Manager
     Role dialog opens.
  4. To add roles to the policy, select an entry from the Available Members list and click on the Left Arrow
     
    button, which points to the Current Members list.
    The opposite procedure removes roles from the Current Members list.
  5. In the Current Members list, select the roles to exclude, and click the 
    Exclude
     button that is located under the list.
    A red circle with a slash appears to the left of the excluded roles.
  6. Click 
    OK
     to save your changes and return to the CA SSO Policy dialog.