Domains

Contents
sm1252sp1
Contents
2
Policy Domain Overview
A policy domain is a logical grouping of resources that are associated with one or more user directories. In addition, policy domains require one or more administrator accounts that can change the objects within the policy domain. Policy domains contain realms, rules, responses, and policies (and optionally, rule groups and response groups). An administrator with the appropriate privileges assigns a policy domain to one or more administrators.
The resources in a policy domain can be grouped in one or more realms. A realm is a set of resources with a common security (authentication) requirement. Rules, which are associated with the realm that contains the resource control access to resources. The following diagram illustrates a small policy domain which contains realms and their associated rules, and a rule group, response group, and a pair of responses.
Policy domain overview 12.52 SP1
Policy domain overview 12.52 SP1
By grouping realms and rules in a policy domain, you can provide organizations with a secure domain for their resources. In the policies section, you learn how to create policies within a policy domain to control access to the policy domain resources.
In the sample diagram below, a Marketing policy administrator who is specified in the Marketing policy domain can manage the Marketing Strategy and Marketing Projects realms. The policy domain ensures that the Engineering administrator, who does not have administrative privileges to manage the Marketing policy domain, cannot control resources belonging to the Marketing department. However, the Marketing policy domain is associated with a user directory that contains engineering users.
If the administrator for the Marketing department creates a policy within the Marketing policy domain that allows Engineering staff to access the resource Project 2.html, engineering users can access the resource.
Policy domain example 12.52 SP1
Policy domain example 12.52 SP1
Domains and User Membership
Besides acting as a container for domain objects, policy domains also connect to user directories. The Policy Server authenticates users based on the requirements of the realm in which the target resource resides. In order to authenticate a user, the Policy Server must find the user directory where a user is defined. The Policy Server does this by locating the policy domain to which a realm belongs. From the policy domain, the Policy Server queries the user directories specified in the policy domain’s search order.
The search order is defined when you add user directory connections to a policy domain. The order in which you add directory connections determines the order that the Policy Server uses to search for a user. For example, if you set up policy domain for a company migrating user data from a WinNT directory to an LDAP directory, and you want the Policy Server to search in the new LDAP directory first, then look in the WinNT user directory, add the LDAP directory connection to the policy domain first, then add the WinNT user directory connection.
How to Configure a Policy Domain
You configure a domain to create a logical grouping of resources with one or more user directories. Configuring a domain requires you to:
  • Assign one or more user directories for user authentication
  • Create one or more realms to group resources according to security policies
You can edit a policy domain’s properties if you need to add a realm in the future.
The following process lists the steps for configuring a new policy domain:
Configure a Policy Domain
You create a policy domain to protect logical groupings of resources.
Follow these steps:
  1. Click Policies, Domain, Domains.
  2. Click Create Domain.
  3. Type the name and a description of the policy.
  4. Add User Directories and Realms.
  5. Click Submit.
    You have defined a policy domain.
Assign User Directories
You can add one or more user directories to a policy domain. The Policy Server authenticates users by comparing the credentials that they enter to the credentials that are stored in the user directories. The Policy Server searches the user directories in the same order that they are listed in the policy domain.
Follow these steps:
  1. Click Policies, Domain, Domains.
  2. Specify the search criteria and click Search.
    A list of domains that match the search criteria appears.
  3. Click the name of the domain that you want to modify.
  4. Click Modify.
    The settings and controls become active.
  5. In the General tab, click Add/Remove.
    The Choose user directories page appears.
  6. Select one or more user directories from the list of Available Members, and click the right-facing arrows.
    The user directories are removed from the list of Available Members and added to the list of Selected Members.
    To select more than one member at one time, hold down the Ctrl key while you click the additional members. To select a block of members, click the first member and then hold down the Shift key while you click the last member in the block.
  7. Click OK.
    The selected user directories are listed under User Directories.
    To create a new user directory and add it to the domain, click Create.
  8. Click Submit.
    The selected user directories are added to the policy domain.
Create a Realm
Realms are created in a domain and are associated with a Web Agent. Realms use resource filters to group resources that have similar security requirements and share a common authentication scheme.
Configure a Realm with a
CA Single Sign-On
Web Agent
When you create a domain, you can create one or more realms in the domain and associate them with a Web Agent or Agent group. Realms group resources that have similar security requirements and share a common authentication scheme.
Follow these steps:
  1. Click Policies, Domain, Realms.
  2. Click Create Realm.
  3. Select a domain, and click Next.
  4. Type the name and a description of the realm.
  5. Click the ellipsis button to select an agent.
  6. Select a Web Agent or Agent group, and click OK.
  7. Specify the remaining resource properties.
  8. Create new rules or delete existing rules.
  9. Create new sub-realms or delete existing sub-realms.
  10. Specify the session properties.
  11. Specify the authorization directory mappings and types of events the realm must process.
  12. Click Finish.
    The Realm is created.
Configure a Realm with a RADIUS Agent
When you create a domain, you can create one or more realms in the domain and associate them with a Radius Agent or Agent group. Realms group resources that have similar security requirements and share a common authentication scheme.
The Administrative UI lets you configure realms protected by a RADIUS Agent. These realms do not require all of the same information that is required for a
CA Single Sign-On
Web Agent realm.
Follow these steps:
  1. Click Policies, Domain, Realms.
  2. Click Create Realm.
  3. Select a domain, and click Next.
  4. Type the name and a description of the realm.
  5. Click the ellipsis button to select an agent.
  6. Select a RADIUS Agent or Agent group, and click OK.
  7. Specify the remaining resource properties.
  8. Create new rules or delete existing rules.
  9. Specify the session properties.
  10. Click Finish.
    The Realm is created and associated with the selected RADIUS Agent or Agent group.
Add CA Identity Manager Environments to a Domain
Adding a CA Identity Manager environment and the associated user directories to a domain makes available CA Identity Manager roles to policies.
Follow these steps:
  1. Click Policies, Domain, Domains.
  2. Specify search criteria and click Search to locate the domain you want.
  3. Click the name of the domain to which you want to add the environment.
  4. Click Modify.
  5. If the users that are associated with the environment are not bound to the domain, add the respective user directories.
  6. Click Add/Remove in the IDM Environments section.
  7. Select the IDM Environments you want and click OK.
  8. Click Submit.
    The CA Identity Manager environments are added to the domain. The roles associated with the environments are available to all policies created in the domain.
Disable Global Policy Processing for a Domain
Global policies let you associate responses with particular resources and events across all domains. By default, global policies apply to all of the resources in a policy domain.
Follow these steps:
  1. Open the domain.
  2. Clear the Global Policies Apply check box, and then click Submit.
    Global policies no longer apply to the resources in this domain.
Modify a Domain
You can change the name, description, user directory connections and administrators associated with a policy or affiliate domain. All other features of a domain are a result of peripheral configuration.
Delete a Domain
Deleting a domain destroysall of the domain user directories, administrator connections, and objects bound to the domain, such as rules, realms, responses, policies, or affiliates.
It may take a short amount of time for all deleted objects to be removed from caches.