A Web Authorization policy specifies the criteria a user must meet to either allow access or deny access to a resource. For example, if you create a Sales role and assign it to the users, the role can be used to allow access to the sales applications and to deny access to resource management applications. For information about designing a policy, see Section 3.1, Designing an Authorization Policy.
To create a Web Authorization policy:
In the Administration Console, click > > .
Specify a name for the policy, select as the type, then click .
Fill in the following fields:
Description: (Optional) Specify a description for the rule.
Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and the lowest priority is 10. If two rules have the same priority, a Deny rule is applied before a Permit rule.
In the section, click , then select one of the following:
Client IP Address: Allows you to control access based on the IP address of the client making the request. For configuration information, see Section 3.6.2, Client IP Condition.
Credential Profile: Allows you to control access based on the credentials the user specified during authentication. For configuration information, see Section 3.6.3, Credential Profile Condition.
Current Date: Allows you to control access based on the date of the request. For more information, see Section 3.6.4, Current Date Condition.
Day of Week: Allows you to control access based on the day the request is made. For configuration information, see Section 3.6.5, Day of Week Condition.
Current Day of Month: Allows you to control access based on the month the request is made. For configuration information, see Section 3.6.6, Current Day of Month Condition.
Current Time of Day: Allows you to control access based on the time the request was made. For configuration information, see Section 3.6.7, Current Time of Day Condition.
HTTP Request Method: Allows you to control access based on the request method. For configuration information, see Section 3.6.8, HTTP Request Method Condition.
LDAP Attribute: Allows you to control access based on the value of an LDAP attribute. For configuration information, see Section 3.6.9, LDAP Attribute Condition.
Liberty User Profile: Allows you to control access based on the value of a Liberty attribute. For configuration information, see Section 3.6.11, Liberty User Profile Condition.
Roles: Allows you to control access based on the roles a user has been assigned. For configuration information, see Section 3.6.12, Roles Condition.
URL: Allows you to control access based on the URL in the request. For configuration information, see Section 3.6.13, URL Condition.
URL Scheme: Allows you to control access based on the scheme in the URL of the request (for example, HTTP or HTTPS). For configuration information, see Section 3.6.14, URL Scheme Condition.
URL Host: Allows you to control access based on the hostname in the URL of the request. For configuration information, see Section 3.6.15, URL Host Condition.
URL Path: Allows you to control access based on the path in the URL of the request. For configuration information, see Section 3.6.16, URL Path Condition.
URL File Name: Allows you to control access based on the filename in the URL of the request. For configuration information, see Section 3.6.17, URL File Name Condition.
URL File Extension: Allows you to control access based on the file extension in the URL of the request. For configuration information, see Section 3.6.18, URL File Extension Condition.
X-Forwarded-For IP: Allows you to control access based on the value in the X-Forwarded-For IP header of the HTTP request. For configuration information, see Section 3.6.19, X-Forward-For IP Condition.
To add multiple conditions to the same rule, either add a condition to the same condition group or create a new condition group. For information on how conditions and condition groups interact with each other, see Section 3.1.4, Using Multiple Conditions.
In the section, select either or .
To save the rule, click twice, then click .
Assign the policy to a Web resource. See Assigning a Web Authorization Policy to the Resource
in the NetIQ Access Manager 3.1 SP5 J2EE Agent Guide.