12.4.3 Assigning an Authorization Policy to Protect a Resource

Use the following procedure to limit access to the Sales page based on the sales role:

  1. Click Devices > Access Gateways, then click Edit > DAL > Dallistener > Protected Resources.

  2. In the Protected Resource List, click New, specify sales_page for the name, then click OK.

  3. For the Authentication Procedure, select Name/Password - Form.

  4. In the URL Path List, click /*, modify it to specify /sales/*, then click OK.

    Your protected resource must look similar to the following:

  5. Click Authorization > Manage Policies.

  6. Click New, then fill in the following fields:

    Name: Specify Allow_Sales.

    Type: Select Access Gateway: Authorization.

  7. Click OK.

    The Edit Policy page appears.

  8. In Condition Group 1, click New > Roles, then specify the following values:

    Comparison: Select String: Contains Substring.

    Mode: Select Case Insensitive.

    Value: Select Roles: sales_role.

    Return on Condition Error: Select False.

  9. In the Actions section, ensure that Permit is selected.

    Your rule must look similar to the following:

    This rule allows everyone assigned to the sales_role to have access.

  10. Click OK.

  11. In the Rule List, select New.

    This second rule is a general deny rule for everyone who has not been assigned the sales_role.

  12. Make sure the Priority field is set to 10 and that the Condition Group 1 has no conditions.

  13. In the Actions section, click Permit, select Deny, then select Deny Message.

  14. Click Message Text, then in the text box, type the deny message: Sorry, you must work in sales today.

    Your rule must look similar to the following.

    With no conditions in the condition group, this creates a general deny rule that matches everyone. The users who have been assigned the sales role match the first rule that is processed. Everyone else matches this general deny rule.

  15. Click OK to close the rule editor, then click OK to close the Rule List.

  16. In the Policy List window, click Apply Changes, then click Close.

  17. In the Authorization Policy List, select the Allow_Sales policy, then click Enable.

  18. Click OK.

  19. Click the Access Gateways link, then click Update > OK.

  20. Test the results:

    1. Open a new browser, then enter the URL of the Digital Airlines website you created.

      In this example, it is am3bc.provo.novell.com.

    2. Log in as the admin user.

    3. Add /sales to the URL.

      You must receive the following response window with the message derived from Access Gateway you just configured:

      Now, only users with an assigned sales role can access the Sales page.

  21. Test the results with a user who has the sales role:

    1. Open a new browser, then enter the URL of the Digital Airlines website you created.

      In this example, it is am3bc.provo.novell.com.

    2. Log in as Tom.

    3. Click Sales System or add /sales to the URL.

      The Sales page is displayed.

    4. Close all sessions of the browser.

  22. Continue with Configuring an Identity Injection Policy for Basic Authentication.