LDAP Context Policies

Create a policy that allows or denies access based on the LDAP context of the user’s DN. You can use the LDAP context of the user DN to group users based on their departments and then grant access based on the context match. You need to create protected resources for the web resources of the department, create a policy for each protected resource, and assign a policy to the protected resources.

Perform the following steps to configure a policy for the sales department:

  1. Click Policies > Policies > New, specify a name for the policy, select Access Gateway: Authorization as the type, and click OK.

  2. For Condition Group 1, click New, then select Credential Profile.

  3. Specify the following details:

    LDAP Credentials: Select LDAP User DN.

    If/If Not: Select If Not.

    Comparison: Select Contains Substring.

    Mode: Select Case Insensitive.

    Value: Select Data Entry Field and specify ou=sales,o=acme.

    Result on Condition Error: Select True.

  4. In the Actions section, select Deny.

    Your policy must look similar to the following:

    LDAP Context Policy

    The following are the results of this configuration:

    • When a user does not belong to the sales department, the user is denied access.

    • When a user belongs to the sales department, the user is granted access.

    • When an error occurs evaluating the conditions in the rule, the user is denied access.

  5. Assign the policy to the protected web resources of the sales department. See Assigning an Authorization Policy to a Protected Resource.

  6. Repeat the steps for other two departments and specify the appropriate department in Value.