The sample portal site is configured for authentication and role based authorization.
Access Manager Appliance uses an Identity Server Role policy to assign roles to logged in users. In the sample portal Identity Server with a policy named role_assignment Manager and Employee are defined. A user Alice is assigned with role Manager and Employee. Another user Bob is assigned with role Employee. The users of role Employee and Manager can see and edit their own as well as an employee’s basic information. Payroll information of each user is a protected information. A user who is assigned the role of Employee cannot see the pay information of other users, unless assigned the role of Manager.
Access Manager Appliance uses authorization policy to define access control. Role Based Access Control can conveniently assign a user to a particular job function or set of permissions within an enterprise. Access Manager Appliance enables you to assign roles to users, based on attributes of their identity, and then associate policies with the roles. In designing your own actual production environment, you need to decide which roles you need (such as, sales, administrative, payroll, and accounting). You can create Role policies that assign the roles to your users, and then create Authorization and Identity Injection policies that use the roles to control access.
Access Manager uses the Identity Injection policy for single sign-on to a web resource using the HTTP header, for example, HTTP authentication. There are Identity Injection policies configured with basic_auth and fillRole which are used for single sign-on to the portal. basic_auth Identity Injection policy will inject authentication header with LDAP User DN and LDAP Password. The DN Format used is LDAP, for example, cn=alice,ou=Payroll,o=Novell. Fillrole injects the defined name and value, in this example Roles into the custom header. The main page of the sample payroll site displays the user’s login name.
Access Manager uses the Form Fill policy to fill the forms from the web server. A default Form Fill policy, fill_allowance is defined. The Input Field Name payinfo.allowances under Fill Options is defined with the value 10000. When you edit the pay info field, the Allowances field is automatically filled with this value. Any request without basic authentication headers and the required role will be forbidden.
You can use the sample application available to understand the roles by following the procedure below:
Log in to the portal page (for example, and click Sample Application.
Log in with the username alice. The login page is displayed with the published DNS name alice. Alice can access her pay information. If the user belongs to payroll, the Pay Info button is displayed on the page.
Click Employees. Alice can access Bob’s pay information because Alice is assigned the manager role. Click show against the DNS name. In this example, click Pay Info for Bob.
Click pay edit to edit the pay of the employees. The Allowances field is automatically filled as defined in the Form Fill policy. You can edit the pay information and save your changes.
Click New Employee to create a new employee.
NOTE:If you login as Bob, you cannot create a new employee or access the pay information of other employees and will get a Forbidden error as Bob is not assigned a Manager role.