12.1 Defining iChain Access Control Rules

After a user has logged in successfully, Access Control List (ACL) rules control what resources the user can access.

By default, the user has access to nothing. Selected users can access the resources that are explicitly listed in your ACL rules (as specified by the URL). The ACL Rule object can be applied to an organization (O), an organizational unit (OU), a Group object, or even to users listed in the Apply To list for the rule. Whenever possible, we recommend that you use the highest-level object in the list of allowed users, making it easier and faster to configure an ACL rule. Aclcheck.nlm is the module that performs the ACL checking, explained in detail throughout this chapter.

iChain® access control checks the ACL rules in the following sequence:

As explained in Section 11.0, Using the iChain Service Object (ISO), when a user tries to access a protected resource that has been defined as Public, the user is immediately granted access. If the resource is defined as Restricted, the Novell® iChain® system checks the user's browser cookie address to see if he or she is a currently authenticated user and either lets the user access the resource if the user is authenticated or prompts the user for authentication. A current authenticated connection is all that is required. However, when a user attempts to access a URL that has been defined as Secure, the user must log in to eDirectory™ and provide a password. When the user is authenticated, the ACL rules are checked to see if the user is allowed to access the site.

ACL rules allow the use of an asterisk (*) or question mark (?) as wildcard characters when specifying URLs. The asterisk indicates that the user can have access to the folder contents and all subfolders. The question mark indicates the user can have access to the folder contents, but not the subfolders. Also, each ACL rule can be individually disabled or enabled, allowing you to turn on or off a particular rule for a time without losing its parameter settings.

ACL rules are stored in a cache that is updated periodically at a configurable interval. For performance reasons, the recommended cache refresh interval is three to six hours. If you make changes or additions to the ACL rules and want the cache to be updated immediately, use the Manual Refresh option available in the Configure > Access Control pages of the Proxy Administration Tool. If you have FTP enabled on the proxy, you can automatically refresh the iChain proxy when prompted by the snap-in.

When you create an entry in the URL list of an ACL rule, at least one of the two fields (Resource Name and URL) is required. If only the URL is specified, it must be given as an absolute URL (for example, http://www.novell.com/index.html, not /index.html). The URL can contain wildcards. The ACL rule matches any request for the URL (including wildcards). If only the Resource Name is specified, the ACL rule matches any request for the exact path of the Resource Name. For example, if the protected resource myserver has been defined as http://www.novell.com, and a URL list entry is created with myserver as the Resource Name and with no URL, then the ACL rule applies to the http://www.novell.com URL only.

If both the Resource Name and the URL are specified, the URL must be given as a relative URL (/index.html, not http://www.novell.com/index.html) and may include wildcards. The ACL rule will match requests for the combined Resource Name and URL, including wildcards. For example, if the Resource Name is myserver and the URL is /documentation/*, then the ACL rule applies to http://www.novell.com/documentation/*.

To create a new ACL rule for iChain:

  1. In ConsoleOne®, select File > New > iChain Object.

    or

    Click the New iChain Object icon.

  2. Select iChain Access Control Rule, then click OK.

  3. Define a name for the rule, then click OK.

  4. Select the rule you just created, then click Properties > Access Control.

  5. Under the list of Allowed URLs, click Add. Define a name and URL for a resource that this rule will control access to.

    You can use an asterisk (*) or question mark (?) as a wildcard character when specifying URLs. The asterisk indicates that the user can have access to the folder contents and all subfolders. The question mark indicates the user can have access to the folder contents, but not the subfolders.

  6. Under the Apply To List, click Add to browse to and select the Os, OUs, groups, and users to which this rule applies.

    The Os, OUs, groups, and users in the Apply to List are allowed access to the listed URLs.

  7. Under the Exception List, click Add to browse to and select the Os, OUs, groups, and users that are exceptions to this rule.

    The Os, OUs, groups, and users in the Exceptions List are a subset of the Apply to List and are objects that are denied access to the listed URLs.

    WARNING:If you add the same object to both the Apply To List and the Exceptions List, results are unpredictable.

  8. To enable the ACL rule, select the Enable Access Control check box on the General page.

  9. To disable the ACL rule and save it for later use, deselect the Enable Access Control check box.

12.1.1 iChain Access Control Object

When viewed in ConsoleOne, the iChain Access Control Object in eDirectory has two important pages that are briefly explained below:

General Page

The General page displays the option to enable or disable a rule object. If a rule object is disabled, it is not used by ACLCHECK. This page also displays the option to enable or disable logging for this rule object.

Figure 12-1 iChain Access Control Object: General Page

Access Control Page

You configure the Access Control Policy on the Access Control page.

Figure 12-2 iChain Access Control Object: Access Control Page

The following options are available:

  • Allowed URLs: Shows the list of URLs that are allowed.

  • Excluded URLs: Shows the list of URLs that are not allowed from the Allowed list.

  • Apply To List: Shows the list of users who have access to the Allowed URLs, minus the Excluded URLs. You can also use this section to configure Dynamic Access Control. See Section 12.2, Defining Dynamic Access Control Rules for more information.

  • Exception List: Shows the list of users and objects that are exceptions to this rule.

    WARNING:If you add the same object to both the Apply To List and the Exceptions List, results are unpredictable.

12.1.2 ACL Exceptions

You can exclude certain users or group members listed in the Apply To List that you do not want to have access to the specified URLs. However, these exceptions are made on a per rule basis. So, although users might be excluded from one rule, they might still have access to the URL through other ACL rules. Double-check all ACL rules for the resource to be sure exceptions are as you expect.

You can also define a subset of the destination URL as an exception for an ACL rule. For example, an ACL rule could be set on http://ichain.novell.com/* for the users in the o=novell container. By using the URL exception feature, an administrator could define http://ichain.novell.com/private/* as a URL exception. iChain access control would then allow the users in the o=novell container to go to all the pages under http://ichain.novell.com/, except http://ichain.novell.com/private/.

12.1.3 ACL Theory of Operations

The following flow chart shows the basic operation of the ACL. (It is not meant to be an all-inclusive code translation.)

Figure 12-3 Basic ACL Operation

NOTE:If the Authorization Server is using one LDAP source and the Access Control is using another, the ISO object (if it exists) in the Authentication tree is ignored and the ISO object in the Access Control tree is utilized.

The example below explains the process of ACLs. The example of the protected resource as explained in Section 11.0, Using the iChain Service Object (ISO) is used in this example as follows:

SN

Resource Name

URL Prefix

Access

A

RootIndex

http://ichain.novell.com/index.html

Public

B

RootImages

http://ichain.novell.com/images/?

Public

C

RestrictFolder

http://ichain.novell.com/restrict/*

Secure

D

SecureFolder

http://ichain.novell.com/secure/*

Secure

An ACL Rule Object called ACL_Rule_One is created with the following details:

SN

Applied To URLs

 

Excluded URLs

 

 

Resource Name

URL Prefix

Resource Name

URL Prefix

E

SecureFolder

/index.html

 

 

F

SecureFolder

/images/?

 

 

G

SecureFolder

/folder1/*

 

 

H

 

 

SecureFolder

/folder1/folder2/?

I

SecureFolder

http://ichain.novell.com/secure/folder1/folder2/folder3/*

 

 

SN

Applied To

Exclusion List

J

OU=Permanent, OU=Users, O=Company CN=Group1, OU=Users, O=Company

 

K

 

CN=Fuser456, OU=Permanent, OU=Users, O=Company

Use the flow chart and tables above to understand the following three cases:

Case 1

  1. At the browser, Jack (who is a member of OU=Permanent, OU=Users, O=Company) enters the URL as http://www.novell.com/secure/index.html.

  2. DNS resolves Jack's browser to the iChain machine.

  3. The iChain box has a Web Accelerator with www.ichain.novell.com defined and the Enable Authentication switch is turned on. (If the switch was not turned on, iChain would simply cache the resource and would provide no security).

  4. The ISO entries are compared to the URL request to determine if authentication is required. There is a match (D).

  5. Jack is asked to enter his name and password for authentication. The username and password are checked for validity.

  6. The URL Jack requested is verified against the ISO Protected Resource to identify whether it is Restricted or a Secure Resource. The Resource D matches the URL Jack requested, and it is secure.

  7. ACL checking takes place. The ACL_Rule_One object's information is verified to see whether user=Jack has access for the URL he is requesting. The /index.html is found in the list in E. User=Jack is found in the container OU=Permanent,OU=Users,O=Comapny (J) and is not found in the exception list (K). Thus, user=Jack is given access to index.html. Index.html loads the images from the /secure/images/ folder. It is also checks to verify that the images from this location are allowed to be loaded for user=Jack. The images that are in the folder /secure/images/ are allowed to load (F). If there are any images that are referenced from /secure/images/folder1/, they are not loaded. A 403 Forbidden error would result for this type of request.

Jack is granted access as summarized in the following table:

NOTE:The most specific match, based on the URL, takes precedence. The ISO entry (D) http://ichain.novell.com/secure/* is essentially cut and pasted, then concatenated from the URL postfix of /index.html to form http://ichain.novell.com/secure/index.html.

User

URL Accessed

Status

Jack

http://ichain.novell.com/secure/index.html

Allowed

Jack

http://ichain.novell.com/index.html

Allowed

Jack

http://ichain.novell.com/restrict/index.html

Allowed

Jack

http://ichain.novell.com/secure/folder1/index.html

Allowed

Jack

http://ichain.novell.com/secure/folder1/folder2/index.html

Denied

Jack

http://ichain.novell.com/secure/folder1/folder2/folder3/index.html

Allowed

Case 2

User=Jane is a member of Group1 group object which is under OU=users,O=company; however, her user object resides under OU=TempUsers,O=Users,O=Company. As illustrated in Case 1, Jane would experience the following, depending on the URLs she attempts to access:

User

URL Accessed

Status

Jane

http://ichain.novell.com/secure/folder1/index.html

Allowed

Jane

http://ichain.novell.com/secure/folder1/folder2/index.html

Denied

Jane

http://ichain.novell.com/secure/folder1/folder2/folder3/index.html

Allowed

She is denied access to /secure/folder1/folder2/index.html because it is part of the Excluded URLs (H). She is allowed access to /secure/folder1/folder2/folder3/index.html because this is part of the Allowed URLs (I).

Case 3

As in Case 1, user=fuser456 (a member of OU=users,O=company) would experience the following, depending on which URLs she accesses:

User

URL Accessed

Status

Fuser456

http://ichain.novell.com/index.html

Allowed

Fuser456

http://ichain.novell.com/restrict/index.html

Allowed

Fuser456

http://ichain.novell.com/restrict/index.html

Allowed

Fuser456

http://ichain.novell.com/secure/index.html

Denied

Fuser456

http://ichain.novell.com/secure/folder1/folder2/index.html

Denied

Fuser456

http://ichain.novell.com/secure/folder1/folder2/folder3/index.html

Denied

Fuser456 is denied access to all of the secure resources since this user is on the Exception List (K).