Exported Types

Contents
casso126
Contents
Administrator Rights
Sm_PolicyApi_AdminRights_t enumerates the rights of the administrator. These values may be used individually or combined to set multiple rights. The resulting value is passed to Sm_PolicyApi_AddAdmin() as one of the attributes in a Sm_PolicyApi_Admin_t structure.
Name
Value
Sm_PolicyApi_AdminRights_ManageAllDomains
0x01
Sm_PolicyApi_AdminRights_ManageObjects
0x02
Sm_PolicyApi_AdminRights_ManageUsers
0x04
Sm_PolicyApi_AdminRights_ManageKeys
0x08
Sm_PolicyApi_AdminRights_ManagePasswordPolicy
0x08
Sm_PolicyApi_AdminRights_ManageReports
0x10
The following table shows how these values are used to set administrative privileges:
Scope
Task
Setting and Privilege(s)
System
Manage System & Domain Objects
To set the privileges below, set administrator rights to both of the following:
Sm_PolicyApi_AdminRights_ManageAllDomainsSm_PolicyApi_AdminRights_ManageObjects
Privileges:
Create/edit/delete agents, agent groups, directories, policy domains, authentication schemes, agent types, ODBC setup, directory mappings, certificate mappings, and registration schemes.
Create/delete parent realms in all domains.
Create/edit/delete administrators.
Flush all caches, including cached resources.
Change global settings.
All the privileges for Manage Domain Objects listed below.
Domains
Manage Domain Objects
To set the privileges below, set administrator rights to:
Sm_PolicyApi_AdminRights_ManageObjects
Privileges:
In managed domains: create/edit/delete rules, rule groups, responses, response groups, policies.
Edit top level realms in managed domains (not resource filters).
Create/edit/delete nested realms in managed domains.
Flush specific realms from the resource cache, and flush all resources (in privileged domains) from the cache.
System
View Reports
To set the privilege below, set administrator rights to both of the following:
Sm_PolicyApi_AdminRights_ManageAllDomainsSm_PolicyApi_AdminRights_ManageUsers
Privilege:
View all system and domain reports.
Domains
View Reports
To set the privilege below, set administrator rights to:
Sm_PolicyApi_AdminRights_ManageUsers
Privilege:
View reports for managed domains.
System
Manage Keys and Password Policies
To set the privileges below, set administrator rights to both of the following:
Sm_PolicyApi_AdminRights_ManageAllDomainsSm_PolicyApi_AdminRights_ManageKeys
Privileges:
Create/edit/delete password policies.
Manage keys.
Domains
Manage Password Policies
To set the privilege below, set administrator rights to:
Sm_PolicyApi_AdminRights_ManagePasswordPolicy
Privilege:
Create/edit/delete password policies for users in directories attached to managed domains.
System
Manage Users
To set the privileges below, set administrator rights to both of the following:
Sm_PolicyApi_AdminRights_ManageAllDomainsSm_PolicyApi_AdminRights_ManageReports
Privileges:
Flush all user session caches, or flush the user session cache of any individual user cache from any directory.
Enable/disable users in any directory.
Force password change on any user in any directory.
Domains
Manage Users
To set the privileges below, set administrator rights to:
Sm_PolicyApi_AdminRights_ManageReports
Privileges:
Flush user session caches for individual users in directories attached to managed domains.
Enable/disable users in directories attached to managed domains.
Force password change on users in directories attached to managed domains.
Affiliate Attribute Types
Sm_PolicyApi_AffiliateAttrType_t enumerates the valid affiliate attribute types, for use in the affiliate functions to manipulate affiliate attributes.
Name
Value
Sm_PolicyApi_Affiliate_HTTP_Header_Variable
1
Sm_PolicyApi_Affiliate_HTTP_Cookie_Variable
2
Attribute Mode Types
Sm_PolicyApi_SAMLSPAttrMode_t enumerates the valid attribute retrieval types for use in SAML 2.0 Attribute Authority support:
Name
Value
Sm_PolicyApi_SAMLSP_SSO_Only
0
Sm_PolicyApi_SAMLSP_Attribute_Only
1
One of these values should be provided in the nMode element of the Sm_PolicyApi_SAMLSPAttr_t structure.
Authentication and Authorization Mapping Types
Sm_PolicyApi_AuthAzMapType_t enumerates the authentication and authorization mapping types.
Name
Value
Sm_PolicyApi_AuthAzMapType_DN
1
Sm_PolicyApi_AuthAzMapType_UniversalId
2
Sm_PolicyApi_AuthAzMapType_Attr
3
Certificate Mapping Attribute Types
Sm_PolicyApi_CertMapAttrType_t enumerates types of mapping that determine how an X.509 client certificate will map to the user information in the authentication directory.
Name
Value
Sm_PolicyApi_CertMapAttrType_Single
1
Sm_PolicyApi_CertMapAttrType_Custom
2
Sm_PolicyApi_CertMapAttrType_Exact
3
Certificate Mapping Directory Types
Sm_PolicyApi_DirType_t enumerates the types of directories that can be used to authenticate users.
Name
Value
Sm_PolicyApi_DirType_LDAP
1
Sm_PolicyApi_DirType_WinNT
2
Sm_PolicyApi_DirType_ODBC
3
Certificate Mapping Flags Definitions
Sm_PolicyApi_CertMapFlags_t enumerates flags that represent certificate mapping properties.
Flag
Value
Sm_PolicyApi_CertMapFlags_CertRequired
Setting this flag causes
CA Single Sign-On
to verify that the certificate presented by the user matches the certificate stored in the user's entry in the authentication directory. The authentication directory must be an LDAP user directory.
0x01
Sm_PolicyApi_CertMapFlags_UseDistributionPoints
Set this flag if your Certificate Revocation List (CRL) uses distribution points. Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. The distribution point provides a starting point for a CRL check and saves the processing time that it would take to search the entire CRL for a particular user.
When this flag is set,
CA Single Sign-On
retrieves the distribution point from the user's certificate, then uses it to find the appropriate LDAP directory entry point for the CRL.
0x02
Sm_PolicyApi_CertMapFlags_VerifySignature
Set this flag to enable signature verification, where the Policy Server checks the Certificate Authority's public certificate against a signature stored in the policy database.
0x04
Sm_PolicyApi_CertMapFlags_CRLCheck
Set this flag to make
CA Single Sign-On
perform a Certificate Revocation List check. A Certificate Revocation List (CRL) is a list of revoked X.509 client certificates published by the Certificate Authority. Comparing certificates against CRLs is one way to ensure that certificates are valid. When a user with such a certificate tries to access a protected resource,
CA Single Sign-On
finds the user's certificate in the CRL and rejects the authentication.
0x08
Sm_PolicyApi_CertMapFlags_Cache
Setting this flag causes
CA Single Sign-On
to use cached CRL information until the date specified in the NextUpdate field in the CRL.
0x10
Directory Capabilities
Sm_PolicyApi_GetUserDirCapabilities() uses the values that are enumerated in Sm_DirectoryCapability_t, which is defined in SmApi.h.
Directory Capability
Value
Sm_DirCapability_CreatePasswordPolicy
Capable of creating password policy. The following attributes are affected in the user directory (Sm_PolicyApi_UserDir_t):
pszPasswordData
,
pszDisabledAttr
, and
pszPasswordAttribute
.
0x00000001
Sm_DirCapability_CreateRegistrationPolicy
Capable of creating registration policy. The following attributes are affected in the user directory (Sm_PolicyApi_UserDir_t):
pszAnonymousId
,
pszEmailAddressAttr
,
pszChallengeRespAttr
, and
pszPasswordAttribute
.
0x00000002
Sm_DirCapability_ResetUserPassword
Capable of resetting the user password. This affects
pszPasswordAttribute
.
0x00000004
Sm_DirCapability_ChangeUserPassword
Capable of changing the user password. This affects
pszPasswordAttribute
.
0x00000008
Sm_DirCapability_DisableUser
Capable of disabling the user account. This affects
pszDisabledAttr
.
0x00000010
Sm_DirCapability_DmsCapable
Capable of being written by the Delegated Management System (DMS).
0x00000020
Sm_DirCapability_Recursive
Capable of supporting recursion.
0x00000040
Sm_DirCapability_DisabledAttr
Read-Write disabled attribute. This attribute is configured for the user directory.
0x00100000
Sm_DirCapability_UniversalIdAttr
Read-only Universal ID. This attribute is configured for the user directory.
0x00200000
Sm_DirCapability_AnonymousIdAttr
Read-Write anonymous ID attribute. This attribute is configured for the user directory.
0x00400000
Sm_DirCapability_PasswordDataAttr
Read-Write password data attribute. This attribute is configured for the user directory.
0x00800000
Sm_DirCapability_UserPasswordAttr
Read-Write password attribute. This attribute is configured for the user directory.
0x01000000
Sm_DirCapability_EmailAddressAttr
Read-only E-mail attribute. This attribute is configured for the user directory.
0x02000000
Sm_DirCapability_ChallengeRespAttr
Read-Write Challenge and Response attribute. This attribute is configured for the user directory.
0x04000000
Attribute masks are directory user profile attributes. They are available in the directory. Each attribute is read-only or read-write. Read-write attributes are not used by other applications.
Domain Flags
Sm_PolicyApi_DomainFlags_t enumerates flags pertaining to domain-wide influence.
Name
Value
Sm_PolicyApi_DomainFlags_GlobalPoliciesApply
When this flag is set, the domain processes global policies for all realms in the domain. When this flag is not set, the domain does not process global policies.
0x02
Group Types
Sm_PolicyApi_Groups_t enumerates the type of group for which you can perform group functions.
Name
Value
Sm_PolicyApi_NULL_Group_Prop
0
Sm_PolicyApi_Rule_Group_Prop
1
Sm_PolicyApi_Response_Group_Prop
2
Sm_PolicyApi_Agent_Group_Prop
3
IP Address Types
Sm_PolicyApi_IPAddressType_t enumerates the type of IP address restrictions that are defined for an object in Sm_PolicyApi_IPAddress_t.
IP Address Type
Value
Sm_PolicyApi_IPAddressType_SingleHost
A single host IP address requires the following fields to be set:
iStructId
. IP Address data structure ID defined inSm_PolicyApi_Structs_t.
iIPAddressType
. Set IP address type to be Sm_PolicyApi_IPAddressType_SingleHost.
nIPAddress
. The valid IP address. This IP address is specified in the long format.
1
Sm_PolicyApi_IPAddressType_HostName
A host name IP address requires the following fields to be set:
iStructId
. IP Address data structure ID defined inSm_PolicyApi_Structs_t.
iIPAddressType
. Set IP address type to be Sm_PolicyApi_IPAddressType_HostName.
pszHostName
[BFSIZE]. Host name of the machine that a user must be using for an action to occur-for example, for a policy to fire.
2
Sm_PolicyApi_IPAddressType_AddressAndSubNetMask
A subnet mask requires the following fields to be set:
iStructId
. IP Address data structure ID defined inSm_PolicyApi_Structs_t.
iIPAddressType
. Set IP address type to be Sm_PolicyApi_IPAddressType_AddressAndSubnetMask.
nIPAddress
. The valid IP address. This IP address is specified in the long format.
nSubnetMask
. Specify the subnet mask.
3
Sm_PolicyApi_IPAddressType_Range
A range of IP addresses requires the following fields to be set:
iStructId
. IP Address data structure ID defined inSm_PolicyApi_Structs_t.
iIPAddressType
. Set IP address type to be Sm_PolicyApi_IPAddressType_Range.
nIPAddress
. Starting IP address. This IP address is specified in the long format.
nEndIPAddress
. Ending IP address. This IP address is specified in the long format.
4
Management Commands
Sm_PolicyApi_ManagementCommands_t enumerates the values that can bepassed to Sm_PolicyApi_ManagementCommand() for flushing caches, for managing agent encryption keys, and for shared secret rollover.
Initialize the structure to zero (memset) prior to setting any values. Use the symbolic enumerated values, rather than hard-coding integer command values.
The value is passed in the
iCommand
field of the structure Sm_PolicyApi_ManagementCommand_t.
Management Command
Value
Sm_PolicyApi_ManagementCommand_FlushAll
Flushes all
CA Single Sign-On
caches. Policy store cache, resource cache, and user information cache are flushed by this command. It does not require any data in the
pszData
field of Sm_PolicyApi_ManagementCommand_t.
1
Sm_PolicyApi_ManagementCommand_FlushUsers
Flushes user information cache. It does not require any data in the
pszData
field of Sm_PolicyApi_ManagementCommand_t.
2
Sm_PolicyApi_ManagementCommand_FlushRealms
Flushes resource cache. It does not require any data in the
pszData
field of Sm_PolicyApi_ManagementCommand_t.
3
Sm_PolicyApi_ManagementCommand_ChangeDynamicKeys
Changes the dynamic agent key. It does not require any data in the
pszData
field of Sm_PolicyApi_ManagementCommand_t.
Before you change a dynamic agent key through the C API, the Agent Key setting in the Policy Server Key Management dialog box must be set to Use dynamic Agent Key. To access this dialog box in the Policy Server UI, click Tools > Manage Keys. Then, in the Agent Key tab, select Use dynamic Agent Key.
4
Sm_PolicyApi_ManagementCommand_ChangePersistentKey
Changes the persistent or static key. The data field
pszData
of Sm_PolicyApi_ManagementCommand_t structure may contain an optional key value. If
pszData
is empty, the persistent key is randomly generated.
5
Sm_PolicyApi_ManagementCommand_ChangeSessionKey
Changes the session key. The data field
pszData
of Sm_PolicyApi_ManagementCommand_t structure may contain an optional key value. If
pszData
is empty, the session key is randomly generated.
6
Sm_PolicyApi_ManagementCommand_RolloverSharedSecrets
Rolls over shared secrets for rollover-enabled trusted hosts.
7
Password Messages
Sm_PolicyApi_PasswordMsgId_t enumerates password message IDs.
Password messages describe the encoded error message returned to Sm_PolicyApi_SetPassword() when a new password does not satisfy the password policy requirements of the specified directory.
Password Message ID
Value
Sm_PolicyApi_PasswordMsgId_None
0
Sm_PolicyApi_PasswordMsgId_ChangePassword
1
Sm_PolicyApi_PasswordMsgId_PassswordGeneralFailure
1000
Sm_PolicyApi_PasswordMsgId_PasswordShort
1001
Sm_PolicyApi_PasswordMsgId_PasswordLong
1002
Sm_PolicyApi_PasswordMsgId_PasswordOldPasswordBad
1003
Sm_PolicyApi_PasswordMsgId_PasswordReuse
1004
Sm_PolicyApi_PasswordMsgId_PasswordSimilar
1005
Sm_PolicyApi_PasswordMsgId_PasswordRepeatingChars?
1006
Sm_PolicyApi_PasswordMsgId_PasswordDictionaryMatch
1007
Sm_PolicyApi_PasswordMsgId_PasswordContentLetters
1008
Sm_PolicyApi_PasswordMsgId_PasswordContentDigits
1009
Sm_PolicyApi_PasswordMsgId_PasswordContentAlphaNum
1010
Sm_PolicyApi_PasswordMsgId_PasswordContentPunctuation
1011
Sm_PolicyApi_PasswordMsgId_PasswordContentNonPrintable
1012
Sm_PolicyApi_PasswordMsgId_PasswordContentNonAlphaNum
1013
Sm_PolicyApi_PasswordMsgId_PasswordProfileMatch
1014
Sm_PolicyApi_PasswordMsgId_PasswordGraceDays
1015
Sm_PolicyApi_PasswordMsgId_PasswordSystemPIN
1016
Sm_PolicyApi_PasswordMsgId_PasswordUserMaxNumPIN
1017
Sm_PolicyApi_PasswordMsgId_PasswordUserMinMaxNumPIN
1018
Sm_PolicyApi_PasswordMsgId_PasswordUserMaxAlphaPIN
1019
Sm_PolicyApi_PasswordMsgId_PasswordUserMinMaxAlphaPIN
1020
Sm_PolicyApi_PasswordMsgId_PasswordAcceptPIN
1021
Sm_PolicyApi_PasswordMsgId_PasswordContentLowerAlpha
1022
Sm_PolicyApi_PasswordMsgId_PasswordContentUpperAlpha
1023
Sm_PolicyApi_PasswordMsgId_PasswordContentNoLowerAlpha
1024
Sm_PolicyApi_PasswordMsgId_PasswordContentNoUpperAlpha
1025
Sm_PolicyApi_PasswordMsgId_PasswordContentNoDigits
1026
Sm_PolicyApi_PasswordMsgId_PasswordContentNoPunctuation
1027
Sm_PolicyApi_PasswordMsgId_PasswordContentNoNonPrintable
1028
Sm_PolicyApi_PasswordMsgId_PasswordContentNoNonAlphaNum
1029
Sm_PolicyApi_PasswordMsgId_PasswordContentNoAlphaNum
1030
Sm_PolicyApi_PasswordMsgId_PasswordContentMatchRegExp
1031
Sm_PolicyApi_PasswordMsgId_PasswordContentNoMatchRegExp
1032
Sm_PolicyApi_PasswordMsgId_PasswordUserMinNumPIN
1033
Sm_PolicyApi_PasswordMsgId_PasswordUserDigitsPIN
1034
Sm_PolicyApi_PasswordMsgId_PasswordUserAlphaNumPIN
1035
Additional information about the error message is available in the password message field associated with the password message.
Password Message Fields
Sm_PolicyApi_PasswordMsgFieldId_t enumerates password message field IDs.
Password message fields contain additional information about the password messages described in the previous section. You can find this additional information in the structure Sm_PolicyApi_PasswordMsgField_t.
Password Message Field ID
Value
Sm_PolicyApi_PasswordMsgFieldId_None
0
Sm_PolicyApi_PasswordMsgFieldId_Min
1
Sm_PolicyApi_PasswordMsgFieldId_Max
2
Sm_PolicyApi_PasswordMsgFieldId_OldPW
3
Sm_PolicyApi_PasswordMsgFieldId_NewPW
4
Sm_PolicyApi_PasswordMsgFieldId_Days
5
Sm_PolicyApi_PasswordMsgFieldId_Token
6
Fields can be of type integer or string, or they can have no type.
Password Message Field Types
Sm_PolicyApi_FieldType_t enumerates the possible data types for the password message fields.
Password Message Field Type
Value
Sm_PolicyApi_FieldType_None
0
Sm_PolicyApi_FieldType_Int
1
Sm_PolicyApi_FieldType_String
2
Password Policy Behavior Flags
Sm_PasswordPolicyBehavior_t enumerates the behavioral characteristics of a password policy.
Password Policy Behavior Flag
Value
Sm_PasswordPolicy_DontTrackLogins
This flag has been replaced in
CA Single Sign-On
v6.0 SP3 by:
Sm_PasswordPolicy_DontTrackSuccessLogins
Sm_PasswordPolicy_DontTrackFailedLogins
The new flags allow successful and failed logins to be tracked separately.
Sm_PasswordPolicy_DontTrackLogins is currently maintained for backwards compatibility. If this flag is set, login tracking for successful and failed logins will not occur.
0x00000004
Sm_PasswordPolicy_AllowFailedWrites
Allows users to log ineven if password data cannot be written to the user directory.
0x00000008
Sm_PasswordPolicy_InactivityForcePWChange
Forces a password change on the next login attempt after a user's password becomes invalid due to inactivity.
0x00000010
Sm_PasswordPolicy_PWExpiredForcePWChange
Forces a password change on the next login attempt after a user's password expires.
0x00000020
Sm_PasswordPolicyBehavior_FullReenable
If a user's account is disabled due to successive incorrect password entries, this flag re-enables the account after a given time period. Specify the time in the
nReenablement
field of Sm_PolicyApi_PasswordPolicy_t.
If this flag is not set, the user is allowed another login attempt after the given
nReenablement
time period.
0x00000040
Sm_PasswordPolicy_StopPriorityChaining
Prevents the evaluation of password policies with lower priority ratings than the current password policy.
0x00000080
Sm_PasswordPolicy_ExpireDisablePassword
When the password expires, disable just the password and not the user account.
0x00000100
Sm_PasswordPolicy_FailuresDisablePassword
When the maximum number of authentication failures are exceeded, disable just the password and not the user account.
0x00000200
Sm_PasswordPolicy_ForceCase
Force the password's case that is specified through bit Sm_PasswordPolicy_CaseSelect.
0x00000400
Sm_PasswordPolicy_CaseSelect
If Sm_PasswordPolicy_ForceCase is set, Sm_PasswordPolicy_ForceCase forces upper case passwords when set, and forces lower case passwords when cleared.
0x00000800
Sm_PasswordPolicy_CaseBits
Sets both of the following bits (forces upper case passwords):
Sm_PasswordPolicy_ForceCase
Sm_PasswordPolicy_CaseSelect
0x00000c00
Sm_PasswordPolicy_StripLeadingWhiteSpace
Removes any leading white space from the password.
0x00001000
Sm_PasswordPolicy_StripTrailingWhiteSpace
Removes any trailing white space from the password.
0x00002000
Sm_PasswordPolicy_StripFlankingWhiteSpace
Sets both of the following bits (strips leading and trailing white space):
Sm_PasswordPolicy_StripLeadingWhiteSpace
Sm_PasswordPolicy_StripTrailingWhiteSpace
0x00003000
Sm_PasswordPolicy_StripEmbeddedWhiteSpace
Removes all white space within the password.
0x00004000
Sm_PasswordPolicy_WhiteSpaceBits
Sets all of the following bits (strips leading, trailing, and embedded white space):
Sm_PasswordPolicy_StripLeadingWhiteSpace
Sm_PasswordPolicy_StripTrailingWhiteSpace
Sm_PasswordPolicy_StripEmbeddedWhiteSpace
0x00007000
Sm_PasswordPolicy_PreProcessBits
Sets all of the following bits (forces upper case passwords and strips leading, trailing, and embedded white space):
Sm_PasswordPolicy_ForceCase
Sm_PasswordPolicy_CaseSelect
Sm_PasswordPolicy_StripLeadingWhiteSpace
Sm_PasswordPolicy_StripTrailingWhiteSpace
Sm_PasswordPolicy_StripEmbeddedWhiteSpace
0x00007c00
Sm_PasswordPolicy_DontTrackSuccessLogins
Performs directory updates at login time. When this flag is not set, the password policy tracks successful user logins, including the time of the last login.
0x00008000
Sm_PasswordPolicy_DontTrackFailedLogins
Performs directory updates at login time. When this flag is not set, the password policy tracks unsuccessful user login attempts.
0x00010000
Values 0x00000400 through 0x00007c00 apply to password preprocessing. During preprocessing, the password is checked before it is processed or stored.
Policy Flags
Sm_PolicyApi_AddUsersToPolicy() uses the following values (which are defined in SmApi.h):
Flag
Value
Sm_PolicyBehavior_Exclude_Mask
Bit 0x01 determines whether user policy excludes or includes 'users.'
0x01
Sm_PolicyBehavior_Exclude_No
0x00
Sm_PolicyBehavior_Exclude_Yes
0x01
Sm_PolicyBehavior_Recursive_Mask
Bit 0x02 determines whether user policy is recursive. This is applicable to directory object classes that can be nested.
0x02
Sm_PolicyBehavior_Recursive_No
0x00
Sm_PolicyBehavior_Recursive_Yes
0x02
Sm_PolicyBehavior_AND_Mask
Bit 0x04 determines whether the user policy has an AND relationship between user policies. This is applicable to user policies that are members of a particular user directory within the policy.
0x04
Sm_PolicyBehavior_AND_No
0x00
Sm_PolicyBehavior_AND_Yes
0x04
Policy Management API Initialization Flags
Sm_PolicyApi_InitFlags_t enumerates the initialization flags used by Sm_PolicyApi_Init(). These flags affect API behavior.
Flag
Value
Sm_PolicyApi_InitFlags_EnableCache
Enables caching of policy store, resource, and user information to ensure that
CA Single Sign-On
responds quickly to user requests.
0x01
Sm_PolicyApi_InitFlags_PreLoadCache
Enables the Policy Management API to preload the
CA Single Sign-On
caches.
Note:
By omitting this flag, you can reduce the time it takes for custom Policy Management applications to make policy store changes.
0x02
Sm_PolicyApi_InitFlags_LoadAgentTypeDictionary
Enables the Policy Management API to preload the
CA Single Sign-On
agent type dictionary.
0x04
Sm_PolicyApi_InitFlags_DisableValidation
Disables validation of policy objects.
0x08
Sm_PolicyApi_InitFlags_DisableAudit
Disables:
Auditing of user activity, including authentication, authorization, and administration activities. (Administration activities include changes to the policy store.)
Monitoring of user sessions.
0x10
Sm_PolicyApi_InitFlags_DisableCacheUpdates
Disables cache updates. If cache updates are not disabled and Sm_PolicyApi_InitFlags_EnableCache is turned off, the Policy Management API will still issue the cache updates.
0x20
Sm_PolicyApi_InitFlags_DisableManagementWatchDog
Disables the
CA Single Sign-On
management watchdog. The watchdog is enabled by default. The watchdog is used internally and should not be disabled.
0x40
Policy Object IDs
Sm_PolicyApi_Objects_t describes the policy store properties that can be retrieved, set, and removed.
Sm_PolicyApi_NULL_Domain_Props, value 0, is reserved.
The following table lists the domain object type values that can be passed to Sm_PolicyApi_GetDomainObjects():
Name
Value
Sm_PolicyApi_Rule_Prop
1
Sm_PolicyApi_RuleGroup_Prop
2
Sm_PolicyApi_Policy_Prop
3
Sm_PolicyApi_PolicyLink_Prop
4
Sm_PolicyApi_UserPolicy_Prop
5
Sm_PolicyApi_Realm_Prop
6
Sm_PolicyApi_ResponseGroup_Prop
7
Sm_PolicyApi_Response_Prop
8
Sm_PolicyApi_ResponseAttr_Prop
9
Sm_PolicyApi_UserDir_Prop
10
Sm_PolicyApi_Admins_Prop
17
Sm_PolicyApi_ActiveExpr_Prop
23
Sm_PolicyApi_Variable_Prop
25
Sm_PolicyApi_Affiliate_Prop
33
Sm_PolicyApi_SAMLSP_Prop
35
The following table lists the global object type names that can be passed to Sm_PolicyApi_GetGlobalObjects():
Name
Value
Sm_PolicyApi_Rule_Prop
1
Sm_PolicyApi_Policy_Prop
3
Sm_PolicyApi_Response_Prop
8
Sm_PolicyApi_UserDir_Prop
10
Sm_PolicyApi_Scheme_Prop
Object ID for an authentication scheme.
11
Sm_PolicyApi_Agent_Prop
12
Sm_PolicyApi_AgentGroup_Prop
13
Sm_PolicyApi_AgentType_Prop
14
Sm_PolicyApi_AgentTypeAttr_Prop
15
Sm_PolicyApi_Domain_Prop
16
Sm_PolicyApi_Admins_Prop
17
Sm_PolicyApi_ODBCQueryScheme_Prop
18
Sm_PolicyApi_RegistrationScheme_Prop
19
Sm_PolicyApi_PasswordPolicy_Prop
20
Sm_PolicyApi_AuthAzMap_Prop
Object ID for an authentication-authorization object.
21
Sm_PolicyApi_CertMap_Prop
Object ID for a certification-mapping object.
22
Sm_PolicyApi_VariableType_Prop
24
Sm_PolicyApi_TrustedHost_Prop
26
Sm_PolicyApi_HostConfig_Prop
27
Sm_PolicyApi_AgentConfig_Prop
28
Sm_PolicyApi_Association_Prop
Object ID for a configuration name/value pair in an agent configuration object.
29
Sm_PolicyApi_AffiliateDomain_Prop
32
Sm_PolicyApi_SharedSecretPolicy_Prop
34
Sm_PolicyApi_SAMLIdP_Prop
36
Sm_PolicyApi_SAMLAffiliation_Prop
37
Sm_PolicyApi_WSFEDResourcePartner_Prop
38
Policy Resolutions
Sm_PolicyResolution_t, defined in SmApi.h, enumerates the values that describe the relationship between two policy objects.
Return Codes
The value codes that can be returned by the API are enumerated in Sm_PolicyApi_Status_t. The values have the following significance:
  • A zero return code indicates success.
  • Negative return codes indicate failure.
Most of the code names are self-explanatory. However, note that Sm_PolicyApi_BadArgument (-10) is returned when one or more of the required input parameters is not supplied. For example, if an argument such as a domain OID is null or represents a string of zero length, Sm_PolicyApi_BadArgument is returned to the caller.
Return codes with values less than -100 (except for Sm_PolicyApi_NotUnique, value -105) will rarely be returned by this API. They are included for completeness.
Return Code
Value
Sm_PolicyApi_Success
0
Sm_PolicyApi_Failure
-1
Sm_PolicyApi_InvalidHandle
-2
Sm_PolicyApi_ErrorLogin
-3
Sm_PolicyApi_NoPrivilege
-4
Sm_PolicyApi_InvalidPasswordSyntax
-5
Sm_PolicyApi_InvalidPassword
-6
Sm_PolicyApi_DuplicateEntry
-7
Sm_PolicyApi_DoesNotExist
-8
Sm_PolicyApi_NotFound
-9
Sm_PolicyApi_BadArgument
-10
Sm_PolicyApi_WrongNumberOfElements
-11
Sm_PolicyApi_UserDirNotPartOfDomain
-12
Sm_PolicyApi_UserDirNotValid
-13
Sm_PolicyApi_ErrorUserDir
-14
Sm_PolicyApi_AgentNotFound
-15
Sm_PolicyApi_AgentTypeNotFound
-16
Sm_PolicyApi_AgentTypeAttrNotFound
-17
Sm_PolicyApi_AgentTypeMismatch
-18
Sm_PolicyApi_ODBCQuerySchemeNotFound
-19
Sm_PolicyApi_UserDirNotFound
-20
Sm_PolicyApi_DomainNotFound
-21
Sm_PolicyApi_AdminNotFound
-22
Sm_PolicyApi_SchemeNotFound
-23
Sm_PolicyApi_RegistrationSchemeNotFound
-24
Sm_PolicyApi_PasswordPolicyNotFound
-25
Sm_PolicyApi_SchemeIsRequired
-26
Sm_PolicyApi_PasswordPolicyConfig
-27
Sm_PolicyApi_RealmNotFound
-28
Sm_PolicyApi_NoChildren
-29
Sm_PolicyApi_RuleNotFound
-30
Sm_PolicyApi_ResponseNotFound
-31
Sm_PolicyApi_ResponseAttrNotFound
-32
Sm_PolicyApi_PolicyNotFound
-33
Sm_PolicyApi_PolicyLinkNotFound
-34
Sm_PolicyApi_UserPolicyNotFound
-35
Sm_PolicyApi_BadGroup
-36
Sm_PolicyApi_GroupNotFound
-37
Sm_PolicyApi_Invalid
-38
Sm_PolicyApi_InvalidHandleVersion
-39
Sm_PolicyApi_DomainNotAffiliate
-41
Sm_PolicyApi_InvalidOid
-100
Sm_PolicyApi_NotImplemented
-101
Sm_PolicyApi_NotSearchable
-102
Sm_PolicyApi_NotStorable
-103
Sm_PolicyApi_NotCollection
-104
Sm_PolicyApi_NotUnique
-105
Sm_PolicyApi_InvalidProp
-106
Sm_PolicyApi_NotInitted
-107
Sm_PolicyApi_NoSession
-108
Sm_PolicyApi_OidInUseByRealm
-109
Sm_PolicyApi_OidInUseByRule
-110
Sm_PolicyApi_OidInUseByAdmin
-111
Sm_PolicyApi_MissingProperty
-112
Sm_PolicyApi_GroupMemberName
-113
Sm_PolicyApi_RadiusIpAddrNotUnique
-114
Sm_PolicyApi_GroupAgentType
-115
Sm_PolicyApi_RadiusRealmNotUnique
-116
Sm_PolicyApi_RealmFilterNotUnique
-117
Sm_PolicyApi_InvalidCharacters
-118
Sm_PolicyApi_AgentTypeCantBeDeleted
-119
Sm_PolicyApi_ProvNotImplemented
-120
Sm_PolicyApi_ProvNotUnique
-121
Sm_PolicyApi_RealmCantBeUsedInRule
-122
Sm_PolicyApi_OidInUserByCertMap
-123
Sm_PolicyApi_OidInUseBySelfReg
-124
Sm_PolicyApi_OidInUseByUserDirectory
-125
Sm_PolicyApi_SchemeCantBeDeleted
-126
Sm_PolicyApi_BasicSchemeUpdate
-127
Sm_PolicyApi_NonHtmlForm
-128
Sm_PolicyApi_IllegalRealmOperation
-129
Sm_PolicyApi_NameNotUnique
-130
Sm_PolicyApi_FeatureNotSupported
-132
Sm_PolicyApi_AssertionConsumerDefaultMissing
-133
Sm_PolicyApi_SAMLSP_AuthenticationURLMissing
-134
Sm_PolicyApi_SAMLSP_DomainOidMissing
-135
Sm_PolicyApi_SAMLSP_IdPIDMissing
-136
Sm_PolicyApi_SAMLSP_NameMissing
-137
Sm_PolicyApi_SAMLSP_NameIdFormatMissing
-138
Sm_PolicyApi_SAMLSP_NameIdTypeMissing
-139
Sm_PolicyApi_SAMLSP_NameIdStaticMissing
-140
Sm_PolicyApi_SAMLSP_NameIdAttrNameMissing
-141
Sm_PolicyApi_SAMLSP_NameIdDNSpecMissing
-142
Sm_PolicyApi_SAMLSP_ProviderIDMissing
-143
Sm_PolicyApi_SAMLSP_ProviderIDNotUnique
-144
Sm_PolicyApi_SAML_UnSupportedSAMLVersion
-145
Sm_PolicyApi_SAMLIDP_IncorrectParameters
-146
Sm_PolicyApi_SAMLIDP_ProviderIDNotUnique
-147
Sm_PolicyApi_SAMLAFF_NameMissing
-148
Sm_PolicyApi_SAMLAFF_NameIdFormatMissing
-149
Sm_PolicyApi_SAMLAFF_NameIdTypeMissing
-150
Sm_PolicyApi_SAMLAFF_NameIdStaticMissing
-151
Sm_PolicyApi_SAMLAFF_NameIdAttrNameMissing
-152
Sm_PolicyApi_SAMLAFF_NameIdDNSpecMissing
-153
Sm_PolicyApi_SAMLAFF_AffiliationIDMissing
-154
Sm_PolicyApi_SAMLAFF_AffiliationIDNotUnique
-155
Sm_PolicyApi_SAMLAFF_AffiliationHasMembers
-156
Sm_PolicyApi_SAML_UnknownProperty
-157
Sm_PolicyApi_WSFEDRP_AssertionConsumerDefaultMissing
-158
Sm_PolicyApi_WSFEDRP_AuthenticationURLMissing
-159
Sm_PolicyApi_WSFEDRP_DomainOidMissing
-160
Sm_PolicyApi_WSFEDRP_APIDMissing
-161
Sm_PolicyApi_WSFEDRP_NameMissing
-162
Sm_PolicyApi_WSFEDRP_NameIdFormatMissing
-163
Sm_PolicyApi_WSFEDRP_NameIdTypeMissing
-164
Sm_PolicyApi_WSFEDRP_NameIdStaticMissing
-165
Sm_PolicyApi_WSFEDRP_NameIdAttrNameMissing
-166
Sm_PolicyApi_WSFEDRP_NameIdDNSpecMissing
-167
Sm_PolicyApi_WSFEDRP_ProviderIdMissing
-168
Sm_PolicyApi_WSFEDRP_ProviderIdNotUnique
-169
Sm_PolicyApi_WSFEDRP_UnsupportedSAMLVersion
-170
Sm_PolicyApi_WSFEDRP_UnkownProperty
-171
Sm_PolicyApi_WSFEDAP_IncorrectParameters
-172
Sm_PolicyApi_WSFEDAP_ProviderIDNotUnique
-173
Sm_PolicyAPI_InsufficientRPData
-174
Sm_PolicyAPI_WSFED_UnSupportedWSFEDVersion
-175
Sm_PolicyAPI_DuplicateAttribute
-176
Sm_PolicyAPI_SAMLSP_ACSDuplicateIndex
-177
Sm_PolicyAPI_SAMLSP_ACSIndexedEndpointInUse
-178
Sm_PolicyAPI_SAMLSP_ACSIndexedEndpointNotFound
-179
Sm_PolicyAPI_SAMLSP_CantDeleteDefaultACSIndex
-180
Sm_PolicyAPI_SAMLSP_ACSMaxExceeded
-181
Sm_PolicyAPI_InConsistentANDBitMask
-182
SAML1x Redirect URL Types
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_TYPE_t defines the type of redirection specified in Sm_PolicyApi_AddRedirectURLToSAML1xScheme() and Sm_PolicyApi_GetRedirectURLFromSAML1xScheme().
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_TYPE_t is listed in SmPolicyApi45.h.
Name
Value
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_USER_NOT_FOUND_TYPE
0
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_INVALID_SSO
1
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_UNACCEPTABLE_USER_CREDENTIALS
2
SAML Assertion Consumer Service Bindings
The following values are the SAML Protocol Bindings that can be specified for each row of the Assertion Consumer Service:
Name
Value
Sm_PolicyApi_SAMLSP_HTTP_Post
0
Sm_PolicyApi_SAMLSP_HTTP_Artifact
1
Sm_PolicyApi_SAMLSP_PAOS
2
SAML Attribute Name Format Identifiers
Sm_PolicyApi_SAMLSPAttrNameFormat_t defines the format to use for specifying attributes that apply to a principal. The format specification is made within the structure Sm_PolicyApi_SAMLSPAttr_t.
The format identifiers are defined by the SAML 2.0 standard.
Sm_PolicyApi_SAMLSPAttrNameFormat_t is listed in SmPolicyApi45.h.
Name
Value
Sm_PolicyApi_SAMLSP_Unspecified
0
Sm_PolicyApi_SAMLSP_URI
1
Sm_PolicyApi_SAMLSP_Basic
2
SAML Profiles
Sm_PolicyApi_SAML_Profile_t specifies the communication profile used to send and receive a SAML assertion for a particular affiliate object. The profile is specified as one of the attributes of a Sm_PolicyApi_Affiliate_t structure. Sm_PolicyApi_SAML_Profile_t is listed in SmPolicyApi45.h.
Name
Value
Sm_PolicyApi_SAML_Profile_Artifact
1
Sm_PolicyApi_SAML_Profile_POST
2
Scheme Types
Sm_Api_SchemeType_t describes the values that may be passed to Sm_PolicyApi_AddScheme() as one of the attributes of a SmPolicyApi_Scheme_t structure. Sm_Api_SchemeType_t is listed in SmApi.h.
Scheme Type
Value
Sm_Api_SchemeType_Basic
1
Sm_Api_SchemeType_CryptoCard
2
Sm_Api_SchemeType_Encotone
3
Sm_Api_SchemeType_HTMLForm
4
Sm_Api_SchemeType_BasicOverSSL
5
Sm_Api_SchemeType_RadiusServer
6
Sm_Api_SchemeType_SafeWordServer
7
Sm_Api_SchemeType_ACEServer
8
Sm_Api_SchemeType_X509ClientCert
9
Sm_Api_SchemeType_X509ClientCertAndBasic
10
Sm_Api_SchemeType_X509ClientCertOrBasic
11
Sm_Api_SchemeType_RadiusChapPap
12
Sm_Api_SchemeType_Anonymous
13
Sm_Api_SchemeType_NTLM
14
Sm_Api_SchemeType_Custom
15
Sm_Api_SchemeType_ACEServerHTMLForm
16
Sm_Api_SchemeType_SafeWordHTMLForm
17
Sm_Api_SchemeType_XMLDsig
18
Sm_Api_SchemeType_X509ClientCertOrForm
19
Sm_Api_SchemeType_X509ClientCertAndForm
20
Sm_Api_SchemeType_MSPassport
21
Sm_Api_SchemeType_XMLDocumentCredentialCollector
22
Sm_Api_SchemeType_SAMLSessionTicket
25
Sm_Api_SchemeType_SAMLArtifact
26
Sm_Api_SchemeType_Impersonation
27
Sm_Api_SchemeType_SAMLPOST
28
Sm_Api_SchemeType_SAML2
29
Sm_Api-SchemeType_WSFED
30
Shared Secret Rollover Parameters
Sm_PolicyApi_SecretRolloverPeriod_t enumerates the units of time which, when combined with the rollover frequency setting, determines how often shared secret rollover occurs. For example a rollover period of RolloverHOURS and a frequency of 12 means that the shared secret is changed every 12 hours.
The rollover period is defined in the
iRolloverPeriod
field of structure Sm_PolicyApi_SharedSecretPolicy_t, and the frequency is defined in the
iRolloverFrequency
field of the structure.
Name
Value
RolloverNEVER
0
RolloverHOURS
1
RolloverDAYS
2
RolloverWEEKS
3
RolloverMONTHS
4
Structure IDs
Sm_PolicyApi_Structs_t enumerates the data structures that can be passed to and from the Policy Management API as follows:
Name
Value
Sm_PolicyApi_NULL_ID
0
Sm_PolicyApi_Rule_ID
1
Sm_PolicyApi_Policy_ID
2
Sm_PolicyApi_Realm_ID
3
Sm_PolicyApi_Response_ID
4
Sm_PolicyApi_UserDir_ID
5
Sm_PolicyApi_Agent_ID
6
Sm_PolicyApi_Domain_ID
7
Sm_PolicyApi_PolicyLink_ID
8
Sm_PolicyApi_ResponseAttr_ID
9
Sm_PolicyApi_User_ID
10
Sm_PolicyApi_Scheme_ID
11
Sm_PolicyApi_Admin_ID
12
Sm_PolicyApi_Group_ID
13
Sm_PolicyApi_ODBCQueryScheme_ID
14
Sm_PolicyApi_Object_ID
15
Sm_PolicyApi_AgentType_ID
16
Sm_PolicyApi_AgentTypeAttr_ID
17
Sm_PolicyApi_RegistrationScheme_ID
18
Sm_PolicyApi_PasswordPolicy_ID
19
Sm_PolicyApi_IPAddress_ID
20
Sm_PolicyApi_AuthAzMap_ID
21
Sm_PolicyApi_CertMap_ID
22
Sm_PolicyApi_PasswordMsgField_ID
23
Sm_PolicyApi_VariableType_ID
25
Sm_PolicyApi_Variable_ID
26
Sm_PolicyApi_TrustedHost_ID
27
Sm_PolicyApi_HostConfig_ID
28
Sm_PolicyApi_AgentConfig_ID
29
Sm_PolicyApi_Association_ID
30
Sm_PolicyApi_UserContext_ID
31
Sm_PolicyApi_Affiliate_ID
36
Sm_PolicyApi_AffiliateAttr_ID
37
Sm_PolicyApi_SharedSecretPolicy_ID
38
Sm_PolicyApi_UserContext_ID
40
Sm_PolicyApi_SAMLSP_ID
41
Sm_PolicyApi_SAMLProviderProp_ID
42
Sm_PolicyApi_SAMLAffiliation_ID
43
Sm_PolicyApi_SAMLSPAttr_ID
44
Sm_PolicyApi_WSFEDResourcePartner_ID
45
Sm_PolicyApi_WSFEDProviderProp_ID
46
Sm_PolicyApi_WSFEDRPAttr_ID
47
Sm_PolicyApi_SAMLRequesterAttr_ID
48
Sm_PolicyApi_SAMLSPAssertionConsumerService_
ID
49