This chapter covers how to define entitlements for fine-grained authorization to access particular resources.

Authorization Entitlements Policy OpenAM entitlements serve much the same purpose as OpenAM policies, defining who has access to what, under what conditions. You can define entitlements through the OpenAM console, and OpenAM stores and manages policies centrally using the standard eXtensible Access Control Markup Language (XACML). You can access OpenAM entitlements and policy decisions using the RESTful web interface, for even lighter weight policy enforcement than with OpenAM policy agents. The OpenAM entitlements service uses XACML terminology to refer to the different points dealing with policy. OpenAM serves as a policy administration point (PAP) where you define, store, and manage policies. OpenAM uses the configuration directory to store entitlements, whereas profiles are stored in the identity repository (user data store). OpenAM also serves as a policy decision point (PDP), evaluating policies and issuing authorization decisions, and as a policy information point, providing the information needed for authorization decisions. OpenAM policy agents act as policy enforcement points, obtaining decisions from PDPs to protect access to resources. Entitlement policies define who has who has access to what, under what conditions, in the same way that other OpenAM policies define policy. Entitlement policies do let you define virtual subjects and subjects based on attribute lookup to determine who has access to the resources. Entitlements apply for applications, which in this context mean protected resources that share a common set of actions and related policies. For example, the web agent application protects web resources accessed through HTTP GET and POST actions using a web policy agent to enforce decisions to allow or deny access. You can also define more specific applications as demonstrated by the examples delivered with OpenAM. Delegations grant specific users privileges to manage policies.

Authorization Configuring Entitlements Configuring Policy Configuring Use the nascent console to manage entitlements. After you login as OpenAM Administrator to OpenAM Console, click Test Beta Console, then Entitlements. You can return to the Standard Console by using the link at the upper right corner of the new console window. Select Entitlements > Policies > Create Policies to start the new entitlement policy wizard. Give your policy a name and a description, and then select the application to protect from the drop-down list before clicking Next. Select the resources to protect with the entitlement policy, adding exceptions and additional resources as necessary before clicking Next. Build your list of subjects who are concerned by this policy using the Select Subjects drop box before clicking Next. Set permissions for actions, add conditions, user attributes to return in policy decisions and so forth in the advanced settings section before clicking Next. Review the entitlement policy summary, and then click Finish to create and store the policy in OpenAM. Select Entitlements > Policies > Manage Policies to display the list of entitlement policies. Check the box next to the policy or policies to export. Click the Export link above the table, and then click OK in the alert box. OpenAM exports your policy in XML format. <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule- combining-algorithm:deny-overrides" Version="2011.10.07.11.51.27.444" PolicyId="New Policy"> ... policy content here ... </Policy> What you see in the browser window depends on what your browser chooses to do with XML. Select Entitlements > Applications > Create Applications to start the new entitlement application wizard. Give your application a name and a description, and then select the application type from the drop-down list before clicking Next. Add resources pertaining to the application, and then click Next. Select the subject types to which policies for the application apply, and then click Next. Select the appropriate permissions for actions the subjects can take on the application, and then click Next. Select the condition types allowed for policies that apply to this type of application, and then click Next. Configure how to resolve decisions when policies conflict, and then click Next. Review the application configuration summary, and then click Finish to create and store the application type in OpenAM. Authorization Delegating Entitlements Delegating Policy Delegating Select Entitlements > Delegations > Create Delegations to start the new entitlement delegation wizard. Give you delegation a name and a description, and then click Next. Select the application types to delegate, and then click Next. You can click Show for each selected application type to further refine the resources for which you are delegating management. Select subjects to whom the delegation grants access to manage, and then click Next. Select the level of management delegated in terms of actions the subject can perform, and then click Next. Review the delegation configuration summary, and then click Finish to create and store the delegation in OpenAM.

Authorization Configuring Entitlements Configuring Policy Configuring To manage entitlements, you can use the ssoadm command. The ssoadm command provides several other subcommands for managing entitlements in addition to those shown here. Use the ssoadm list-xacml command to export policies. $ ssoadm list-xacml --realm / --adminid amadmin --password-file /tmp/pwd.txt <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0: rule-combining-algorithm:deny-overrides" Version="2011.10.07.12.22.04.705" PolicySetId="/:2011.10.07.12.22.04.704" xmlns="urn:oasis:names:tc:xacml:3.0: core:schema:cd-1"> <Target/> ... other policies ... <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0: rule-combining-algorithm:deny-overrides" Version="2011.10.07.11.51.27.444" PolicyId="New Policy"> ... policy content here ... </Policy> </PolicySet> Use the ssoadm create-xacml command to import a policy. $ ssoadm create-xacml --realm / --xmlfile policy.xml --adminid amadmin --password-file /tmp/pwd.txt Use the ssoadm create-appl command to create an application type. $ cat application.txt resources=http://myapp.example.com:80/* subjects=com.sun.identity.admin.model.IdRepoUserViewSubject subjects=com.sun.identity.admin.model.VirtualViewSubject subjects=com.sun.identity.admin.model.OrViewSubject subjects=com.sun.identity.admin.model.AndViewSubject conditions=com.sun.identity.admin.model.DateRangeCondition conditions=com.sun.identity.admin.model.DaysOfWeekCondition conditions=com.sun.identity.admin.model.IpRangeViewCondition conditions=com.sun.identity.admin.model.DnsNameViewCondition conditions=com.sun.identity.admin.model.TimeRangeCondition conditions=com.sun.identity.admin.model.TimezoneCondition conditions=com.sun.identity.admin.model.OrViewCondition conditions=com.sun.identity.admin.model.AndViewCondition conditions=com.sun.identity.admin.model.NotViewCondition entitlementCombiner=com.sun.identity.entitlement.DenyOverride $ ssoadm create-appl --realm / --applicationtype iPlanetAMWebAgentService --name myApp --adminid amadmin --password-file /tmp/pwd.txt --datafile application.txt myApp was created.