3.6 Conditions

This section describes the possible conditions for an Authorization policy. Some conditions can be set up so that the current values in the request are compared against static values (A to B), or you can compare static values to current values in the request (B to A). Within one policy, you should probably decide which direction to set up the comparisons and remain consistent unless there is a compelling reason to switch the direction for a particular condition.

For example, suppose you set up a rule to allow access to a resource only during the weekdays (Monday through Friday). You set up four of these conditions to compare if the date when the request is made matches with Monday, Tuesday, Wednesday, or Thursday. You set up the fifth condition to compare whether Friday matches the date when the request is made. This works, but maintaining this policy is more difficult because each new policy manager will look at the Friday condition and wonder why it is configured differently.

Many conditions, when used as the sole condition of a rule, do not make very useful rules. For example, you can create a rule that grants access if the user specifies a specific URL in the request. Such a rule has limited application. But a rule that requires that the request contain a specific URL and that the user have a specific role has greater application because it can be used to limit access to the URL based on the user’s role. For information about how conditions can be ANDed or ORed together or placed in different condition groups, see Section 3.1.4, Using Multiple Conditions.

Authorization policies use the following conditions:

For the specific policies they can be used in, see the following:

3.6.1 Authentication Contract Condition

The Authentication Contract condition matches the contract the user logged in with to the contract specified in this condition. The Identity Server has the following default contracts:

Name

URI

Name/Password - Basic

basic/name/password/uri

Name/Password - Form

name/password/uri

Secure Name/Password - Basic

secure/basic/name/password/uri

Secure Name/Password - Form

secure/name/password/uri

To configure other contracts for your system, click Devices > Identity Servers > Edit > Local > Contracts.

To specify an Authentication Contract condition, fill in the following fields:

Authentication Contract: To compare the contract that the user used with a static value, select Current. To compare a static value with what the user used, select a contract from the list.

If you have created more than one Identity Server configuration, select the configuration that corresponds to the configuration your Access Gateway is configured to trust, then select the contract. The name of the contract is displayed. When you select this name, the configurations that contain a definition for this contract are highlighted.

If you select a contract that is defined on only one of your configurations, be aware that you must change this policy when you change configurations. If you select a contract that is defined in all your configurations, this policy requires no modifications and continues to function when you change configurations.

For example, the following policy has selected Name/Password - Basic as the contract:

Figure 3-11 An Authentication Contract Defined by Multiple Identity Server Configurations

Two Identity Server configurations have been defined (idp-43.amlab.net and idp-51.amlab.net). Both configurations are highlighted because Name/Password - Basic is a contract that is automatically defined for all Identity Server configurations. Because it is defined on both configurations, this policy’s function is the same, regardless of which configuration is selected as the trusted configuration.

Comparison: Specify how the contract is compared to the data in the Value field. Select either a string comparison or a regular expression:

  • Comparison: String: Specifies that you want the values compared as strings and how you want the string values compared. Select one of the following:

    • Equals: Indicates that the values must match, letter for letter.

    • Starts with: Indicates that the Authentication Contract value must begin with the letters specified in the Value field.

    • Ends with: Indicates that the Authentication Contract value must end with the letters specified in the Value field.

    • Contains Substring: Indicates that the Authentication Contract value must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value you want to compare with the Authentication Contract value. If you select a static value for the Authentication Contract value, select Authentication Contract and Current. If you select Current for the Authentication Contract value, select Authentication Contract, then select the name of a contract.

Other value types are possible if you selected Current for the Authentication Contract value. For example:

  • You can select Data Entry Field. The value specified in the text box must be the URI of the contract for the conditions to match. For a list of these values, click Access Manager > Identity Servers > Edit > Local > Contracts.

  • If you have defined a Liberty User Profile attribute for the URI of authentication contracts, you can select Liberty User Profile and your defined attribute.

  • If you have defined an LDAP attribute for the URI of the authentication contracts, you can select LDAP Attribute and your defined attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.2 Client IP Condition

The Client IP condition allows you to use the IP address of the user making the request to determine whether the user is allowed access to a resource.

Fill in the following fields:

Comparison: Specify how the client IP address is compared to the data in the Value field. Select either an IP comparison or a regular expression:

  • Comparison: IP: Specifies that you want the values compared as IP addresses. Select one of the following:

    • Equals: Allows you to specify an IP address that the client must match. You can specify more than one.

    • In Range: Allows you to specify a range of IP addresses that the client’s address must fall within. You can specify more than one range.

    • In Subnet: Allows you to specify the subnet that the client’s address must belong to. You can specify more than one subnet.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. If you select this option, you must also specify a mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Select Data Entry Field and specify a value appropriate for your comparison type. Use the Edit button to access a text box where you can enter multiple values, each on a separate line. (For more information, see Section 3.6.23, Edit Button.) Use the Add button to add values one at a time. For example:

Comparison Type

Value

Equals

 
10.10.10.10
10.10.10.11

In Range

 
10.10.10.10 - 10.10.10.100
10.10.20.10 - 10.10.20.100

In Subnet

 
10.10.10.12 / 22
10.10.20.30 / 22

Other values types are possible. For example, if your user store contains an LDAP attribute with the IP address of your users, you could select to compare the client’s current IP address with the stored value by using an LDAP attribute or a Liberty User Profile value.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.3 Credential Profile Condition

The Credential Profile condition allows you to control access based on the credentials the user entered when authenticating to the system.

To set up the matching for this condition, fill in the following fields:

Credential Profile: Specify the type of credential your users are using for authentication. If you have created a custom contract that uses credentials other than the ones listed below, do not use the Credential Profile as a condition.

To configure the Credential Profile condition, select one of the following:

  • LDAP Credentials: If you prompt the user for a username, select this option, then select LDAP User Name (the cn of the user), LDAP User DN (the fully distinguished name of the user), or LDAP Password.

    The default contracts assign the cn attribute to the Credential Profile. If your user store is an Active Directory server, the SAMAccountName attribute is used for the username and stored in the cn field of the LDAP Credential Profile.

  • X509 Credentials: If you prompt the user for a certificate, select this option, then select one of the following:

    • X509 Public Certificate Subject: Retrieves the subject field from the certificate, which can match the DN of the user, depending upon who issued the certificate.

    • X509 Public Certificate Issuer: Retrieves the issuer field from the certificate, which is the name of the certificate authority (CA) that issued the certificate.

    • X509 Public Certificate: Retrieves the entire certificate, Base64 encoded.

    • X509 Serial Number: Retrieves the serial number of the certificate.

  • SAML Credential: If your users authenticate using a SAML assertion, select this option.

Comparison: Select one of the following types:

  • Comparison: String: Specifies that you want the values compared as strings and how you want the string values compared. Select one of the following:

    • Equals: Indicates that the values must match, letter for letter.

    • Starts with: Indicates that the Credential Profile value must begin with the letters specified in the Value field.

    • Ends with: Indicates that the Credential Profile value must end with the letters specified in the Value field.

    • Contains Substring: Indicates that the Credential Profile value must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the second value for the comparison. Select one of the following data types:

  • LDAP Attribute: If you have an LDAP attribute that corresponds to the Credential Profile you have specified, select this option and the attribute.

  • Liberty User Profile: If you have a Liberty User Profile attribute that corresponds to the Credential Profile you have specified, select this option and the attribute.

  • Data Entry Field: Specify the string you want matched. Be aware of the following requirements:

    • If you selected LDAP User DN as the credential, you need to specify the DN of the user in the Value text box. If the comparison type is set to Contains Substring, you can match a group of users by specifying a common object that is part of their DNs, for example ou=sales.

    • If you selected X509 Public Certificate Subject as the credential, you need to specify all elements of the Subject Name of the certificate in the Value text box. Separate the elements with a comma and a space, for example, o=novell, ou=sales. If the comparison type is set to Contains Substring, you can match a group of certificates by specifying a name that is part of their Subject Name, for example ou=sales.

Other values are possible. Your policy requirements determine whether they are useful.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.4 Current Date Condition

The Current Date condition allows you to use the date to determine whether the user is allowed access to a resource.

Fill in the following fields:

Comparison: Specify how the current date is compared to the data in the Value field. Select one of the following types:

  • Comparison: Date: Specifies that you want the values compared as dates. Select one of the following date operators:

    • Equals: Requires that the current date must equal the specified value.

    • Greater Than: Requires that the current date be after the specified value.

    • Greater Than or Equal to: Requires that the current date be after or equal to the specified value.

    • Less Than: Requires that the current date be before the specified value.

    • Less Than or Equal to: Requires that the current date be before or equal to the specified value.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Be aware the regular expression matching uses the entire date of the server in its matching. Therefore if the value you are matching is 8, the 8 can produce a match for the year (2008), the month (8), and the day (8, 18, 28).

    If you select this option, you must also specify a mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Date Format: If you selected a date comparison, specify the format of the Value field. Select one of the following formats:

  • D/M/Y = 1/Jul/2009 or 1/7/2009

  • D-M-Y = 1-Jul-2009 or 1-7-2009

  • D.M.Y = 1.Jul.2009 or 1.7.2009

  • M/D/Y = Jul/1/2009 or 7/1/2009

  • M-D-Y = Jul-1-2009 or 7-1-2009

  • M.D.Y = Jul.1.2009 or 7.1.2009

  • YYYY-MM-DD = 2009-07-01

  • YYYY.MM.DD = 2009.07.01

D specifies a number from 1 to 31. M specifies a number from 1 to 12 or the name of the month in three letters (Sep) or complete (September). Y specifies the year in a four-digit format.

Value: Specify the second value for the comparison. If you select Data Entry Field as the value type, specify the date in the format you select in the Date Format field.

Other value types are possible. Your policy requirements determine whether they are useful. If you have set up a Liberty User Profile or an LDAP attribute that corresponds to the date, you can use this option and select your attribute. The Date Format field does not apply to these value types.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.5 Day of Week Condition

The Current Day of Week condition allows you to restrict access based on which day of the week the request is made. Fill in the following fields:

Current Day of Week: Select the name of the day from the list. To compare the day specified in the current request with a static value, select Current. To compare a static value with the day specified in the current request, select the name of a day from the list.

Comparison: Specify how the current day of the week is compared to the data in the Value field. Select one of the following types:

  • Comparison: Day of Week: Specifies that you want the values compared as a day of the week. Select one of the following operators:

    • Equals: Allows you to specify a day that the client must match.

    • In Range: Allows you to specify a range of days that the client’s request must fall within, for example, Monday to Friday.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Be aware that regular expression matching uses the entire date of the server in its matching. Therefore if the value you are matching is M, the M can produce a match for months (March and May) and for time zones (such as MST).

    If you select this option, you must also specify a mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the second value for the comparison. If you select Current for the Current Day of Week field, you need to specify a static value. If you select a static value for the Current Day of the Week field, you need to select Current for the Value field. If you select Data Entry Field as the value type, days of the week are specified in the following format:

Sun or Sunday
Mon or Monday
Tue or Tuesday
Wed or Wednesday
Thu or Thursday
Fri or Friday
Sat or Saturday

If you selected In Range as the comparison type, specify the first day of the range in the left text box and the end day of the range in the right text box.

Other value types are possible. Your policy requirements determine whether they are useful. If you have set up a Liberty User Profile or an LDAP attribute that corresponds to a day of the week, you can use this option and select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.6 Current Day of Month Condition

The Current Day of Month condition allows you to restrict access based on the day of the month the request is made. Fill in the following fields:

Comparison: Specify how the current day of the month is compared to the data in the Value field. Select one of the following types:

  • Comparison: Day of Month: Specifies that you want the values compared as a day of the month. Select one of the following operators:

    • Equals: Allows you to specify a day that the client must match.

    • In Range: Allows you to specify a range of days that the client’s request must fall within.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Regular expression matching uses the entire date of the server in its matching. Therefore if the value you are matching is 8, the 8 can produce a match for the year (2008), the month (8), and the day (8, 18, 28). If you want to match only on a day of the month (1-31), you need to use the Day of Month comparison rather than a Regular Expression comparison.

    If you select this option, you must also specify a mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the second value for the comparison:

  • If you select Equals for the comparison type, you would normally select Data Entry Field for the Value field and specify a number from 1 to 31 in the text box.

  • If you select In Range for the comparison type, you would normally select Data Entry Field for the Value field and specify the first value of the range in the first text box and the second value of the range in the second text box. If you specify 1 in the first box and 15 in the second box, you can use this condition to restrict access between the first day of the month and the 15th day.

Other value types are possible. Your policy requirements determine whether they are useful. If you have set up a Liberty User Profile or an LDAP attribute that corresponds to a day of the month, you can use this option and select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.7 Current Time of Day Condition

The Current Time of Day condition allows you to restrict access based on the time the request is made. Fill in the following fields:

Comparison: Specify how the current time of day is compared to the data in the Value field. Select one of the following types:

  • Comparison: Time: Specifies that you want the values compared as time. Select one of the following:

    • Greater Than: Requires that the current time is greater than the specified value.

    • Greater Than or Equal to: Requires that the current time is greater than or equal to the specified value.

    • Less Than: Requires that the current time is less than the specified value.

    • Less Than or Equal to: Requires that the current time is less than or equal to the specified value.

    • In Range: Requires that the current time must fall within the specified range, such as 08:00 and 17:00.

    If you specify this type of comparison, you must also specify a time zone. Select either the Local time zone or GMT (Greenwich Mean Time).

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Regular expression matching uses the entire date and time of the server in its matching. Therefore if the value you are matching is 8, the 8 can produce a match for the year (2008), the month (8), the day (8, 18, 28), the hour (8), the minute (8, 18, 28, 38, 48) and the second (8, 18, 28, 38, 48).

    If you select this option, you must also specify a mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the second value for the comparison. If you select Data Entry Field as the value type, hours and minutes are specified in the following format:

hour:minute

Hour is a number from 00 to 23, and minute is a number from 00 to 59.

Time can only be specified in a 24-hour clock format. For example, 8 am is 08:00 and 5:30 pm is 17:30.

Other value types are possible. Your policy requirements determine whether they are useful. If you have set up a Liberty User Profile or an LDAP attribute that corresponds to the time of day, you can use this option and select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.8 HTTP Request Method Condition

The HTTP Request Method condition allows you to restrict accessed based on the request method in the current request.

HTTP Request Method: Select the request method from the list or select Current to specify the method in the current request.

Comparison: Specify how the HTTP Request Method is compared to the data in the Value field. Select one of the following types:

  • Comparison: String: Specifies that you want the values compared as strings and how you want the string values compared. Select one of the following:

    • Equals: Indicates that the values must match, letter for letter.

    • Starts with: Indicates that the HTTP Request Method value must begin with the letters specified in the Value field.

    • Ends with: Indicates that the HTTP Request Method value must end with the letters specified in the Value field.

    • Contains Substring: Indicates that the HTTP Request Method value must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value you want compared to the HTTP Request Method value. If you selected a method from the list for the HTTP Request Method value, select HTTP Request Method > Current. If you selected Current for the HTTP Request Method value, select a request method from the list.

Other value types are possible. Your policy requirements determine whether they are useful. If you have set up a Liberty User Profile or an LDAP attribute that corresponds to an HTTP Request Method, you can use this option and select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.9 LDAP Attribute Condition

The LDAP Attribute condition allows you to restrict access based on a value in an LDAP attribute defined for the inetOrgPerson class or any other LDAP attribute you have added. You can have the user’s attribute value retrieved from your LDAP directory and compared to a value of the following type:

  • Roles from an identity provider

  • Date and time and its various elements

  • URL and its various elements

  • IP address

  • Authentication contract

  • Credential profile

  • HTTP request method

  • Liberty User Profile attribute

  • Static value in a data entry field

This condition is one of the slower conditions to process because the value needs to be retrieved from the LDAP server. If the value is not time sensitive, you can have attribute value sent in the assertion when the user authenticates. Its value is then in cache and available. For configuration information, click Devices > Identity Servers > Servers > Edit > Liberty [or SAML 1.0 or SAML 2.0] > [Provider] > Attributes.

To set up the matching for this condition, fill in the following fields:

LDAP Attribute: Specify the LDAP attribute you want to use in the comparison. Select from the listed LDAP attributes. To add an attribute that isn’t in the list, scroll to the bottom of the list, click New LDAP Attribute, then specify the name of the attribute.

Refresh Data Every: Sends a query to the LDAP server to verify the current value of the attribute according to the specified interval. Because querying the LDAP server slows down the processing of a policy, LDAP attribute values are normally cached after the value has been obtained. The default cache interval is for the user session. You should change the value of this option from Session to a more frequent interval only on those attributes that are critical to the security of your system or to the design of your work flow.

You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes. For more information on this option, see Section 3.1.10, Using the Refresh Data Option.

Comparison: Specify how you want the values compared. All data types are available. Select one that matches the value type of your attribute.

Mode: Select the mode, if available, that matches the comparison type. For example, if you select to compare the values as strings, you can select either a Case Sensitive mode or a Case Insensitive mode.

Value: Specify the second value for the comparison. All data types are available. For example, you can select to compare the value of one LDAP attribute to the value of another LDAP attribute. Only you can determine if such a comparison is meaningful.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.10 LDAP OU Condition

The LDAP OU condition allows you to compare the DN of an OU against the DN that was used when the user authenticated. If the user’s DN contains the OU, the condition matches.

LDAP OU: Select [Current].

Comparison: Specify how you want the values compared. Select one of the following:

  • Contains: Specifies that you want the condition to determine whether the user is contained by a specified organizational unit.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type.

  • Contains: Select whether the user must be contained in the specified OU (One Level) or whether the user can be contained in the specified OU or a child container (Subtree).

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the second value for the comparison. If you select LDAP OU > Name of Identity Server Configuration > User Store Name, you can browse to the name of the OU.

If you have more than 250 OUs defined in your tree, you are prompted to enter an LDAP query string. In the text box, you need to add only the <strFilter> value for the query. For example:

<strFilter> Value

Description

admin*

Returns all OUs that begin with admin, such as adminPR, adminBG, and adminWTH.

*test

Returns all OUs that end with test, such as doctest, softtest, and securtest.

*low*

Returns all OUs that have “low” in the name, such as low, yellow, and clowns.

For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.”

If you select Data Entry Field, you can enter the DN of the OU in the text field. For example:

cn=users,dc=bcf2,dc=provo,dc=novell,dc=com

ou=users,o=novell

If you have defined a Liberty User Profile or an LDAP attribute for the OU you want to match, select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.11 Liberty User Profile Condition

The Liberty User Profile condition allows you to restrict access based on a value in a Liberty User Profile attribute. The Liberty attributes must be enabled before you can use them in policies (click Devices > Identity Servers > Edit > Liberty > Web Server Provider, then enable one or more of the following: Employee Profile, Personal Profile).

These attributes can be mapped to LDAP attributes (click Devices > Identity Servers > Edit > Liberty > LDAP Attribute Mapping). When mapped, the actual value comes from your user store. If you are using multiple user stores with different LDAP schemas, mapping similar attributes to the same Liberty User Profile attribute allows you to create one policy with the Liberty User Profile attribute rather than multiple policies for each LDAP attribute.

The selected attribute is compared to a value of the following type:

  • Roles from an identity provider

  • Date and time and its various elements

  • URL and its various elements

  • IP address

  • Authentication contract

  • Credential profile

  • HTTP request method

  • LDAP attribute

  • Static value in a data entry field

To set up the matching for this condition, fill in the following fields:

Liberty User Profile: Select the Liberty User Profile attribute. These attributes are organized into two main groups: Corporate Employment Identity and Entire Personal Identity. By default, the Common Last Name attribute for Liberty User Profile is mapped to the sn attribute for LDAP. To select this attribute for comparison, click Entire Personal Identity > Entire Common Name > Common Analyzed Name > Common Last Name.

Comparison: Select the comparison type that matches the data type of the selected attribute and the value.

Mode: Select the mode, if available, that matches the data type. For example, if you select to compare the values as strings, you can select either a Case Sensitive mode or a Case Insensitive mode.

Value: Select one of the values that is available from the current request or select Data Entry Field to enter a static value. The static value that you can enter is dependent upon the comparison type you selected.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.12 Roles Condition

If you have configured some Access Manager role policies (see Section 2.2, Creating Roles), you can use these roles as conditions to control access. Roles are not assigned to users until the users authenticate. All authenticated users are assigned the authenticated role. If you use a comparison type of starts with, ends with, or contains substring, carefully evaluate the potential results. For example, if you specify ed as the value for an ends with comparison, the condition matches roles such as contracted and assigned that you created, but it also matches the authenticated role.

Fill in the following fields:

Roles: Select the role. To compare the roles the user is currently assigned with a specific role, select [Current].

Comparison: Select one of the following types:

  • Comparison: String: Specifies that you want the values compared as strings, and how you want the string values compared. Select one of the following:

    • Equals: Indicates that the values must match, letter for letter.

    • Starts with: Indicates that the Roles value must begin with the letters specified in the Value field.

    • Ends with: Indicates that the Roles value must end with the letters specified in the Value field.

    • Contains Substring: Indicates that the Roles value must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: If you have created Identity Server roles policies, select Roles, then select the role you want the user to have to match this condition. The authenticated role is assigned to all users when they authenticate. If you have defined a Liberty User Profile or an LDAP attribute for a role, you can select this option, then select your attribute.

You can use the Data Entry Field option to enter the name of the role you want to test for. If you have activated roles from an external source, use this option to specify the name of the role.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.13 URL Condition

The URL condition allows you to restrict access based on the URL specified in the request. If you have users requesting a resource with a URL you don’t want them to use, you can use this condition in an Access Gateway Authorization policy to deny them access to this URL, and use the Actions section to redirect the request to the URL you want them to use. In a J2EE Agent policy, you can only deny or allow; you cannot redirect.

To set up matching for this condition, fill in the following fields:

Comparison: Specify how the URL is compared to the data in the Value field. Select one of the following types:

  • Comparison: URL: Equals: Specifies that you want the values compared as URLs.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: URL: Equals: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: To enter a static value to compare to the URL in the current request, select Data Entry Field and specify the URL. This should be the complete URL, starting with the URL scheme (http:// or https://) and including the domain name, but not the port. If the URL contains a path, you must include it. If you do not specify a scheme, HTTP is used.

If you selected Regular Expression: Matches, regular expression rules apply.

If you selected URL: Equals for your comparison type, the wildcard characters (?) or (*) can be specified as the last element of the URL path to aid in matching basic URL patterns. These wildcard characters are interpreted as follows:

  • ? matches all files at the specified directory level

  • * matches all files and directories at and beyond the specified directory level

For example, if the request URL is http://www.resourcehost.com/path/resource.gif, the following entered URLs would match the request URL:

http://www.resourcehost.com/path/resource.gif
http://www.resourcehost.com/path/?
http://www.resourcehost.com/path/*
http://www.resourcehost.com/*

If you selected URL:Equals for the comparison type, you can add multiple values:

  • Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Edit Button.

  • Use the Add button to add values one at a time.

  • Use the URL Dredge button to display a list of links to use as values. For more information about this option, see Using the URL Dredge Option.

All entered URLs are compared to the request URL until a match is found or the list is exhausted.

If you have defined a Liberty User Profile or an LDAP attribute for a URL, you can select these options for the value type, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.14 URL Scheme Condition

The URL Scheme condition allows you to restrict access based on the scheme specified in the URL of the request. For example in an Access Gateway Authorization policy, if the request contains HTTP as the scheme in the URL and you require users to use HTTPS, you can use this condition to deny access and redirect them to another URL. In a J2EE Agent policy, you can only deny or allow; you cannot redirect.

This condition allows you to compare A to B or B to A. You need to decide whether you want to compare a static value to the current value in the HTTP request, or whether you want to compare the current value in the HTTP request to a specified value. The comparison type you use depends upon the value you want to specify. If you want more flexibility in specifying the value, you should select to compare the current value in the HTTP request with a specified value.

To set up matching for this condition, fill in the following fields:

URL Scheme: Specify the scheme you want compared. You can select Current for the current value in the HTTP request, or specify a static value of http or https.

Comparison: Select one of the following types:

  • Comparison: URL Scheme: Specifies that you want the values compared as scheme strings and how you want the values compared. Select one of the following:

    • Equals: Indicates that the URL scheme must contain the same letters, in the same order as specified in the value.

    • Starts with: Indicates that the URL scheme must begin with the letters specified in the value.

    • Ends with: Indicates that the URL scheme must end with the letters specified in the value.

    • Contains Substring: Indicates that the URL scheme must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value you want to compare with the URL Scheme value. If you select a static value for the URL Scheme value, select URL Scheme and Current. If you select Current for the URL Scheme value, select one of the following value types:

  • Data Entry Field: Allows you to specify the scheme value you want to use in the comparison. The scheme cannot be specified with a trailing colon (:) character and must be specified in lowercase (http or https). Use the Edit button to access a text box where you can enter multiple values, each on a separate line. (For more information, see Section 3.6.23, Edit Button.) Use the Add button to add values one at a time.

    All entered URL schemes are compared to the requested URL scheme until a match is found or the list is exhausted.

  • LDAP Attribute: If you have defined an LDAP attribute containing a URL or URL scheme, you can select this option, then select your attribute.

  • Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or URL scheme, you can select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.15 URL Host Condition

The URL Host condition allows you to restrict access based on the hostname specified in the URL of the request. For example, you can use this condition to create rules that allow access if the URL contains one hostname, but deny access if the URL contains another hostname. The URL Host condition compares the hostname in the URL of the current request to the URL hostname specified in the Value field.

To set up matching for this condition, fill in the following fields:

Comparison: Specify how the URL Host is compared to the data in the Value field. Select one of the following types:

  • Comparison: URL Host: Equals: Specifies that you want the values compared as hostnames.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. If you select this option, you must also specify a Mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Select one of the following value types, then specify a value:

  • Data Entry Field: To specify a static value to compare to the URL host in the current request, select this value type and specify the DNS name of the host.

    For example, if the request URL is http://www.resourcehost.com/path/resource.gif, the following hostname matches the resource URL:

    www.resourcehost.com

    If you selected URL Host:Equals for the comparison type, you can add multiple values:

    • Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Section 3.6.23, Edit Button.

    • Use the Add button to add values one at a time.

    All listed hostnames are compared to the requested URL until a match is found or the list is exhausted.

  • LDAP Attribute: If you have defined an LDAP attribute containing a URL or URL host, you can select this option, then select your attribute.

  • Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or URL host, you can select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.16 URL Path Condition

The URL Path condition allows you to restrict access based on the path specified in the URL of the request. This condition compares the path of the URL in the current request to the path specified in the Value field.

To set up matching for this condition, fill in the following fields:

Comparison: Select one of the following types:

  • Comparison: URL Path: Specifies that you want the values compared as paths and how you want the string values compared. Select one of the following:

    • Equals: Indicates that the URL path must contain the same letters, in the same order as specified in the value.

    • Starts with: Indicates that the URL path must begin with the letters specified in the value.

    • Ends with: Indicates that the URL path must end with the letters specified in the value.

    • Contains Substring: Indicates that the URL path must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: URL Path: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value type and value for the comparison. Select one of the following:

  • Data Entry Field: To enter a static value to compare to the URL path in the current request, select this value type and specify the path. Start the path with a forward slash.

    IMPORTANT:If you need to add a space in the path, you need to enter the following encoded value for the space:

    %20

    If you have selected Regular Expression: Matches for your comparison type, regular expression rules apply. If you have selected URL Path for your comparison type, the path can end with a filename or a wildcard. An asterisk (*) matches all files and directories at and beyond the specified directory level. A question mark (?) matches all files at the specified directory level. For example:

    Path

    Match Description

    		 
    /path1/path2/

    Requires an exact match of the URL path. It matches if the URL does not contain anything after path2.

    		 
    /path1/file.ext

    Requires an exact match of the URL path, including the extension on the filename.

    		 
    /path1/path2/?

    Matches everything that immediately follows path2. It does not match anything if the path contains another directory, such as /path1/path2/path3/file3.ext.

    		 
    /path1/path2/*

    Matches everything that follows path2, including a filename or another directory, such as /path1/path2/path3/file3.ext.

    If you selected URL Path for the comparison type, you can add multiple values:

    • Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Section 3.6.23, Edit Button.

    • Use the Add button to add values one at a time.

    All entered URL paths are compared to the request URL path until a match is found or the list is exhausted.

  • LDAP Attribute: If you have defined an LDAP attribute containing a URL or URL path, you can select this option, then select your attribute.

  • Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or URL path, you can select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.17 URL File Name Condition

The URL File Name condition allows you to restrict access based on the filename specified in the URL. It compares the filename in the URL of the current request to the filename specified in the Value field.

To set up matching for this condition, fill in the following fields:

Comparison: Select one of the following types:

  • Comparison: URL File: Specifies that you want the values compared as filenames and how you want the names compared. Select one of the following:

    • Equals: Indicates that the filenames must contain the same letters, in the same order as specified in the value.

    • Starts with: Indicates that the filenames must begin with the letters specified in the value.

    • Ends with: Indicates that the filenames must end with the letters specified in the value.

    • Contains Substring: Indicates that the filenames must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: URL File: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value type and value for the comparison. Select one of the following:

  • Data Entry Field: To specify a static value to compare to the filename in the current request, select this value type and specify the filename.

    The value you specify is compared to what follows the last slash in the URL. If you selected Regular Expression: Matches for your comparison type, regular expression rules apply. If you selected URL File for your comparison type, enter a value that matches your string comparison type. Do not use wildcards in your value.

    If you selected URL File for the comparison type, you can add multiple values:

    • Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Section 3.6.23, Edit Button.

    • Use the Add button to add values one at a time.

    All listed filenames are compared to the requested URL filename until a match is found or the list is exhausted.

  • LDAP Attribute: If you have defined an LDAP attribute containing a URL or filename, you can select this option, then select your attribute.

  • Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or filename, you can select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.18 URL File Extension Condition

The URL File Extension condition allows you to restrict access based on the file extension specified in the URL of the request. It compares the file extension in the URL of the current request to the extension specified in the Value field.

To set up matching for this condition, fill in the following fields:

Comparison: Select one of the following types:

  • Comparison: URL File: Specifies that you want the values compared as file extensions and how you want the file extensions compared. Select one of the following:

    • Equals: Indicates that the file extensions must contain the same letters, in the same order as specified in the value.

    • Starts with: Indicates that the file extensions must begin with the letters specified in the value.

    • Ends with: Indicates that the file extensions must end with the letters specified in the value.

    • Contains Substring: Indicates that the file extensions must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: URL File Extension: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value type and value for the comparison. Select one of the following:

  • Data Entry Field: To specify a static value to compare to the file extension in the current request, select this value type and specify the file extension. You can specify the extension or the period and the extension. For example:

    .ext
ext

    This condition does not support wildcards. If you selected URL File Extension for the comparison type, you can add multiple values:

    • Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Section 3.6.23, Edit Button.

    • Use the Add button to add values one at a time.

    All entered URL file extensions are compared to the requested URL file extension until a match is found or the list is exhausted.

  • LDAP Attribute: If you have defined an LDAP attribute containing a URL or file extension, you can select this option, then select your attribute.

  • Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or file extension, you can select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.19 X-Forward-For IP Condition

For added security, you can add the IP address of the reverse proxy as a condition to check before granting access. One way to implement this is to create a rule that requires the X-Forwarded-For IP address in the HTTP header to match the configured IP address of the reverse proxy that is using the policy. The X-Forwarded-For IP condition matches the first IP address in the X-Forwarded-For header with the IP address specified in the Value field.

To set up matching for this condition, fill in the following fields:

Comparison: Specify how the X-Forwarded-For IP address is compared to the data in the Value field. Select one of the following types:

  • Comparison: IP: Specifies that you want the values compared as IP addresses. Select one of the following:

    • Equals: Allows you to specify an IP address that the X-Forwarded-For IP address must match. You can specify more than one.

    • In Range: Allows you to specify a range of IP addresses that the X-Forwarded-For IP address must fall within. You can specify more than one range.

    • In Subnet: Allows you to specify the subnet that the X-Forwarded-For IP address must belong to. You can specify more than one subnet.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. If you select this option, you must also specify a Mode. Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value type and value for the comparison. Select one of the following:

  • Data Entry Field: To specify a static value, select Data Entry Field and provide a value appropriate for your comparison type. For example:

    Comparison Type

    Value

    Equals

    		 
    10.10.10.10
10.10.10.11

    In Range

    		 
    10.10.10.10 - 10.10.10.100
10.10.20.10 - 10.10.20.100

    In Subnet

    		 
    10.10.10.12 / 22
10.10.20.30 / 22

    If you selected IP for the comparison type, you can add multiple values:

    • Use the Edit button to access a text box where you can enter multiple values, each on a separate line.

    • Use the Add button to add values one at a time.

    All listed values are compared to the IP address in the header until a match is found or the list is exhausted.

  • Client IP: If you want the first IP address in the X-Forwarded-For header compared to the IP address of the client making the request, select this option.

  • LDAP Attribute: If you have defined an LDAP attribute for an IP address, you can select this option, then select your attribute.

  • Liberty User Profile: If you have defined a Liberty User Profile attribute for an IP address, you can select this option, then select your attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.

3.6.20 Condition Extension

If you have loaded and configured an authorization condition extension, this option specifies a condition that is evaluated by an outside source. This outside source returns either true or false. See the documentation that came with the extension for information about what is evaluated.

3.6.21 Data Extension

If you have loaded and configured an authorization data extension, this option specifies the value that the extension retrieves. You can then select to compare this value with an LDAP attribute, a Liberty User Profile attribute, a Data Entry Field, or another Data Extension. For more information, see the documentation that came with the extension.

3.6.22 Using the URL Dredge Option

In the URL to Dredge text box, enter the URL of a page on a Web server, then click Display URL List. A list of links and images appears.

For example, if you enter www.novell.com/documentation/index.html for the URL to Dredge, links such as the following appear in the Links section of the URL Results list:

www.novell.com/company/careers/index.html
www.novell.com/company/strategy.html
www.novell.com/documentation/novellaccessmanager/index.html
www.novell.com/documentation/novellaccessmanager31/index.html

Depending upon how you have configured your Web site, you need to enter either a target page or just the URL of the site to generate a list of links.

To add all links as values to the URL condition, click Links. To add links selectively as a value, select the check box next to each name. To dredge a link in the list, click the link.

If the URL contains images, a list of images appears in the Images section. To add an image as a value, select the check box next to the image name.

To save your changes, click OK.

IMPORTANT:If you attempt to dredge an HTTPS site that is using a self-signed certificate, you need to import the trusted root of the site into the Trusted Roots store of the Access Gateway before performing the dredge.

3.6.23 Edit Button

Some of the conditions such as Client IP and URL display an Edit button when you select Equals as the condition and Data Entry Field as the value. The Edit button displays a text box where you can specify multiple values.

In the text box, enter each value on a separate line.

To save your modifications, click OK.

To discard your modifications, click Cancel.