Configuring a Secure Application Manager Resource Policy (NSM
Procedure)
When you enable the secure application manager access feature
for a role, you need to create resource policies that specify which
application servers a user may access. These policies apply to both
the Java version and the Windows version of the Secure Application
Manager (JSAM and WSAM, respectively). When a user makes a request
to an application server, the Secure Access device evaluates the SAM
resource policies. If the Secure Access device matches a user’s
request to a resource listed in a SAM policy, the Secure Access device
performs the action specified for the resource.
To configure Secure Application Manager resource
policy:
- In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure
Access device for which you want to configure a Secure Application
Manager resource policy.
- Click the Configuration tab.
Select Users > Resource Policies > SAM.
- Add or modify settings as specified in Table 1.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 1: Secure Application Manager Resource Policy Configuration Details
| Option |
Function |
Your Action |
| Access
Control > General tab |
Name
|
Specifies the name for the policy.
|
Enter the name.
|
Description
|
Describes the policy.
|
Enter a description.
|
New Resources
|
Specifies the servers to which this policy applies.
|
Enter the server path.
|
Applies to roles
|
Specifies the roles to which this policy applies.
|
Select one of the following options from the drop-down
list:
- All—Applies the policy to all
users.
- Selected—Applies the policy
only to users who are mapped to roles in the Role Selection section.
- Except those selected—Specifies
one or more detailed rules for this policy.
|
Action
|
Allows or denies access to the servers specified in the
resources list.
|
Select one of the following options from the drop-down
list.
- Allow socket access—Allows
access to the application servers specified in the Resources list.
- Deny socket access—Denies access
to the servers specified in the Resources list.
- Detailed Rules–Allows you to
specify one or more detailed rules for this policy.
|
| Role
Selections tab |
Role Selections
|
Maps roles to access resources.
Note:
This tab is enabled only when you select selected or Except those selected from
the Applies to the role drop-down list.
|
Select a role and click Add to add
roles from Non-members to Members list.
|
| Detailed
Rules tab |
Name
|
Specifies the detailed rule name.
Note:
The Detailed Rules tab is displayed only when you select
the Detailed Rules option from the Action drop-down
list.
|
Enter a name.
|
Action
|
Specifies the action you want to perform if the user
request matches a resource in the resource list (optional).
|
Select one of the following options from the drop-down
list:
- Allow socket access—Allows
the user to access the resource.
- Deny socket access—Denies the
user to access the resource.
|
New Resources
|
Specifies the resource to which detailed rule applies.
|
Specify any one of the following:
- The same or a partial list of the resources specified
on the General tab.
- A specific path or file on the server(s) specified on
the General tab, using wildcards when appropriate.
- A file type, preceded by a path if appropriate or just
specify */*.file_extension to indicate files with the specified extension
within any path on the server(s) specified on the General tab.
|
Conditions
|
Specifies one or more expressions to evaluate to perform
the action.
|
Specify one of the following options:
- Boolean expressions: Using system variables, write one
or more Boolean expressions using the NOT, OR, or AND operators.
- Custom expressions: Using the custom expression syntax,
write one or more custom expressions.
|
| Options |
IP based matching for Hostname based policy resources
|
Secure Access device compares the IP to its cached list
of IP addresses to determine if a host name matches an IP address.
If there is a match, then the Secure Access device accepts the match
as a policy match and applies the action specified for the resource
policy.
|
Select Options > IP based matching for
Hostname based policy resources option to enable this feature.
|
Published: 2009-08-20
