BEAAquaLogic Enterprise Security™® Policy Managers Guide Version 2.6 Document Revised: April 2007 Contents 1. Introduction Document Scope and Audience. 1-1 Guide to this Document. 1-2 Related Documentation . 1-2 Contact Us! . 1-3 2. Security Policies Overview What is an AquaLogic Enterprise Security Policy? . 2-1 Closed-world Security Environment . 2-2 Policy Components . 2-3 Resources. 2-4 Virtual Resources . 2-6 Resource Attributes . 2-6 Privilege Groups. 2-6 Privileges . 2-6 Identities . 2-7 Identity Attributes. 2-8 Groups . 2-8 Users. 2-9 Roles. 2-10 Policies. 2-10 Role Mapping Policies . 2-10 Authorization Policies . 2-12 Delegation Policies. 2-13 Summary of Policy Differences . 2-14 Policy Managers Guide v Declarations. 2-14 Constants . 2-15 Enumerated Types . 2-15 Attributes . 2-15 Evaluation Functions . 2-15 3. Writing Policies Policy Implementation: Main Steps . 3-1 Access Decision Process . 3-4 Authentication Service. 3-4 Role Mapping Service . 3-4 Authorization Service . 3-5 Credential Mapping Service. 3-5 Authorization and Role Mapping Engine . 3-5 Using the Administration Console to Write Policies . 3-7 Administration Console Overview. 3-7 Defining Resources . 3-8 Virtual Resources . 3-11 Resource Attributes. 3-12 Privileges . 3-12 Privilege Groups . 3-13 Defining Identities . 3-14 Identity Attributes . 3-16 Groups. 3-16 Users . 3-17 Roles . 3-18 Writing Authorization and Role Mapping Policies . 3-19 Role Mapping Policies . 3-20 vi Policy Managers Guide Authorization Policies. 3-20 Role Mapping Policy Reports . 3-21 Authorization Policy Reports . 3-21 Defining Declarations. 3-22 Binding Policies . 3-23 Deploying Policies . 3-23 4. Advanced Topics Designing More Advanced Policies . 4-1 Multiple Components . 4-2 Policy Constraints. 4-2 Comparison Operators. 4-4 Regular Expressions . 4-4 Constraint Sets. 4-6 String Comparisons . 4-7 Boolean Operators. 4-8 Associativity and Precedence . 4-9 Grouping with Parentheses . 4-9 Boolean Operators and Constraint Sets. 4-10 Declarations . 4-11 Constant Declarations . 4-12 Enumerated Type Declarations . 4-14 Attribute Declarations . 4-15 Evaluation Function Declarations . 4-22.