6.9 Policy Distribution

Policy definitions are not replicated, but are referenced by the Access Gateways for which the policy is to be evaluated. The policy reference mechanism is a set of XML elements that refer back to the policy definitions stored in the various policy containers. If you have configured a policy for a protected resource and an Access Gateway does not seem to be executing this policy, use the following procedures to verify that the Access Gateway has been configured to use the policy:

  1. Set the level of Application logging to config. See Section 6.1, Turning on Logging for Policy Evaluation.

    This enables the tracing of the policy enforcement lists.

  2. Search for name of your policy in a <PolicyEnforcementList> element. The ExternalElementRef attribute contains a reference to the policy name.

    You can find these elements in the catalina.out file (Linux) or stdout.log file (Windows).

  3. If you cannot find the policy name, the Access Gateway has not been configured to use the policy. The configuration either needs to be applied or the policy needs to be enabled. For information on how to assign a policy to a protected resource, see Configuring Protected Resources in the NetIQ Access Manager 3.1 SP5 Access Gateway Guide.

  4. If you find the policy name associated with the correct protected resource, you need to check why the policy is not evaluating according to your design. Set the level of Application logging to info and examine the policy trace from a user accessing the protected resource. See Section 6.2, Understanding Policy Evaluation Traces.