Activating Roles from External Sources

If you have an LDAP attribute, an LDAP group, an LDAP OU, or a Liberty attribute that you are currently using for role assignments, you can have Access Manager read its value and activate roles based on the values. This allows you to use the same roles for Access Manager access as you are using in other parts of your deployment.

When you create this type of Role policy, you do not need to specify any conditions. The policy engine reads the attribute you specify, then assigns roles to users based on the value or values in the attribute. If the user has no value for the attribute, the user is assigned no roles. If the user has a value for the attribute, the user is assigned a role for each value in the attribute.

  1. Click Policies > Policies.

  2. Select the policy container, then click New to create a new policy.

  3. Specify a name for the Role policy, select Identity Server: Roles for the type, then click OK.

  4. On the Rule page in the Actions section, click New > Activate Selected Role.

  5. For this example, select LDAP Group.

  6. To select the group you want to use for role assignments, click Current > [Identity Server Name] > [User Store Name] > [Group Name].

    The distinguished name of this group is the Role name that is assigned to the user.

  7. Select a Multi-Value Separator that is compatible with a distinguished name.

    A comma, which is the default separator, cannot be used because a comma is used to separate the components in a distinguished name. Select any other value, such as #.

    Your policy must look similar to the following:

  8. Click OK > OK > Apply Changes.

  9. To enable the role so that it can be used in Authorization and Identity Injection policies, click Devices > Identity Servers > Edit > Roles.

  10. Select the check box next to the name of the role, then click Enable.

  11. Click OK.

  12. Update Identity Server.

  13. (Optional) Verify the name used for the role and the user assigned to it:

    1. Enable logging by clicking Devices > Identity Servers > Edit > Logging, then set the following values:

      File Logging: Select Enabled.

      Echo To Console: Select this option to enable it.

      Application: In the Component File Logger Levels section, set to info.

    2. Click OK, then update Identity Server.

    3. Log in to Identity Server by using the credentials of a user who belongs the LDAP group.

    4. View the log file for Identity Server by clicking Auditing > General Logging.

    5. Select the catalina.out file and click Download.

    6. Look for two log entries (<amLogEntry>) similar to the following:

      <amLogEntry> 2009-10-09T21:58:55Z INFO NIDS Application: AM#500199050:
AMDEVICEID#CA50FD51DB1EEE3E: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=:
IDP RolesPep.evaluate(), policy trace:
   ~~RL~1~~~~Rule Count: 1~~Success(67)
   ~~RU~RuleID_1223587171711~LDAP_Group~DNF~~0:1~~Success(67)
   ~~PA~ActionID_1223588319336~~AddSelectedRoles~cn=Doc~~~Success(0)
   ~~PA~ActionID_1223588319336~~AddSelectedRoles~o=novell~~~Success(0)
   ~~PC~ActionID_1223588319336~~Document=(ou=xpemlPEP,ou=mastercdn,
ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,
ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollection
XMLDoc),Policy=(LDAP_Group),Rule=(1::RuleID_1223587171711),Action=
(AddSelectedRole::ActionID_1223588319336)~~~~Success(0)
 </amLogEntry>

<amLogEntry> 2009-10-09T21:58:55Z INFO NIDS Application: AM#500105013:
AMDEVICEID#CA50FD51DB1EEE3E: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=:
Authenticated user cn=jwilson,o=novell in User Store Internal with roles
"cn=Doc,o=novell","authenticated".
</amLogEntry>

      The first <amLogEntry> entry indicates that the action in the LDAP_Group policy was successfully assigned.

      The second entry gives the DN of the user and lists the roles assigned to the user: cn=Doc,o=novell and authenticated.

You can now use the cn=Doc,o=novell role when creating Authorization and Identity Injection policies, which control access to protected web resources. Roles activated this way do not appear in the list of available roles. You need to use the Data Entry Field to manually type in the role name. For more information, see the following: