Using Conditions to Assign Roles

Creating a Role by Using an LDAP Attribute

You can assign a user to a role by using a value found in any LDAP attribute in your directory. The following example uses the objectClass attribute because every object in an LDAP directory has an objectClass attribute that contains the object classes to which the object belongs. This attribute contains the name of the object class that was used to create the object and the names of the superior object classes of this class. For example, perform the following steps to create a Role policy for users who were created with the User object class:

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the Role policy, select Identity Server: Roles for the type, then click OK.

  4. In Condition Group 1, click New, then select LDAP Attribute.

  5. In Condition Group 1, select the conditions the user must meet:

    LDAP Attribute: Select the objectClass attribute. If you have not added this attribute, it does not appear in the list. Scroll to the bottom of the list, click New LDAP Attribute, specify objectClass for the name, then click OK.

    If you are using eDirectory™ for your LDAP directory, specify standard LDAP names for the attributes. Access Manager does not support spaces or colons in attribute names.

    Comparison: Select how you want the attribute values to be compared. For the objectClass attribute, select String > Contains Substring.

    The objectClass attribute is a multi-valued attribute and, for most objects, contains multiple values. For example, in eDirectory, users created with the User object class have User, organizationalPerson, person, ndsLoginProperties, and top as values in the objectClass attribute.

    Mode: Select Case Insensitive.

    Value: Select Data Entry Field and specify User as the value.

    Result on Condition Error: This sets up the results that are returned if an error occurs while evaluating the condition. For example, the LDAP server goes down. This rule grants the user the role of UserClass if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of UserClass. Therefore, for this rule, you need to select False.

  6. In the Actions section, click Activate Role.

  7. In the Activate Role box, type UserClass, then click OK.

    This role is assigned to users who match the condition.

  8. Click OK > OK > Apply Changes.

  9. Click Identity Servers > Edit > Roles.

  10. Select the check box next to the name of the role, then click Enable.

  11. Click OK and update Identity Server.

You can now use this role when creating Authorization and Identity Injection policies. For more information, see the following:

Creating a Role by Using the Location of the User Objects

If you have created your users in specific containers in your LDAP tree, you can use these container objects to assign users to roles. For example, your LDAP tree looks similar to the following tree:

Such a tree organization can be used to control access to resources. Perform the following steps to create a Role policy for the users created under the Sales container:

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the Role policy, select Identity Server: Roles for the type, then click OK.

  4. In Condition Group 1, click New, and select LDAP OU > [Identity Server Configuration] > [User Store] > [DN of the OU].

    The following example illustrates how to make these selections:

    Comparison: Select how you want the attribute values to be compared. For LDAP OU, select Contains.

    Mode: Select One Level if all your users are created in ou=Sales. Select Subtree if your users are created in various containers under the ou=Sales container.

    Value: Select LDAP OU, then select [Current].

    The DN of the authenticated user is compared with the value specified in LDAP OU. If the DN of the user contains the LDAP OU value, the user matches the condition. For example, if the DN of the user is cn=bsmith,ou=sales,o=novell and the LDAP OU value is ou=sales,o=novell, the user matches the condition. If you selected Subtree for the Mode, a user with the following DN also matches the condition: cn=djones,ou=provo,ou=sales,o=novell.

    Result on Condition Error: This sets up the results that are returned if an error occurs while evaluating the condition (for example, the LDAP server goes down). This rule is set up to grant the user the role of Sales if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of Sales. Therefore, for this rule, you need to select False.

  5. In the Actions section, click Activate Role.

  6. In Activate Role, specify Sales and click OK.

    The name you specify here is the role you want assigned to the users who match the condition.

  7. Click OK > OK > Apply Changes.

  8. Click Devices > Identity Servers > Edit > Roles.

  9. Select the check box next to the name of the role, then click Enable.

  10. Click OK.

  11. Update Identity Server.

You can now use this role when creating Authorization and Identity Injection policies, which control access to protected web resources. For more information, see the following:

Creating a Role by Using a Group Membership Attribute

If you have created an LDAP group and assigned users to the group, you can use group membership to assign a role to the user. For example, create a first-level managers group and make all first-level managers members of this group. Create other groups to keep upper-level managers. You can create a Role policy that assigns the user a role if the user is a member of a specific group.

You can use the Role policy in an Authorization or Identity Injection policy to protect a web resource.

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the Role policy, select Identity Server: Roles for the type, then click OK.

  4. In Condition Group 1, click New, then select LDAP Group.

  5. In Condition Group 1, select the conditions the user must meet:

    LDAP Group: Select Identity Server Configuration, the user store, then the Group.

    The following figure illustrates this selection process:

    Comparison: Select the attribute values comparison criteria. For LDAP Group, select Is Member of.

    Value: Select LDAP Group, then select [Current].

    The DN of the authenticated user is compared with the members of the LDAP Group. If the DN of the user matches one of the members, the user matches the condition.

    Result on Condition Error: This sets up the results that are returned if an error occurs while evaluating the condition (for example, the LDAP server goes down). This rule is set up to grant the user the role of ManagersGroup if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of ManagersGroup. Therefore, for this rule, you need to select False.

  6. In the Actions section, click Activate Role.

  7. In Activate Role, specify ManagersGroup and click OK. The name you specify here is the role you want assigned to the users who match the condition.

    Your rule must look similar to the following:

  8. Click OK > OK > Apply Changes.

  9. Click Devices > Identity Servers > Servers > Edit > Roles.

  10. Select the check box next to the name of the role, then click Enable.

  11. Click OK and update Identity Server.

You can now use this role when creating Authorization and Identity Injection policies. For more information, see Authorization Policies and Identity Injection Policies.