Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

Policy XML Descriptor Elements

This section describes the following policy XML descriptor elements:

role

The role element defines a security role that may be associated with a set of resources. Membership of the role can include Active Directory groups or principals, or other roles.

If the idm.access.groupsAsRoles option is enabled, role definitions can be used to avoid name clashes with existing Active Directory groups.

Table 1: Attribute: role

Attribute

Required

Description

name

Yes

name of the role

Table 2: Elements: role

Attribute

Required

Description

<include>

Yes

Contains a list of the groups, users or roles that are members of this role

<exclude>

Optional

Contains a list of the groups, users or roles that are not members of this role

Note: Group names are case-sensitive.

Examples

  1. Allow the user Alice, and nobody else:

    <role name="TechniciansGroupA">

    <include>

    <user name="Alice"/>

    </include>

    </role>

  2. Allow the users Bob and Carol in the ACME domain, and nobody else:

    <role name="TechniciansGroupB">

    <include>

    <user name="Bob@ACME"/>

    <user name="Carol@ACME"/>

    </include>

    </role>

  3. Allow all users at the ACME domain and all users at the APEX domain:

    For this example, we use the well-known Active Directory group “Domain Users” to represent all users in a domain.

    <role name="TechniciansAndUnqualified">

    <include>

    <group name="Domain Users@ACME"/>

    <group name="Domain Users@APEX"/>

    </include>

    </role>

  4. Allow all users in the ACME domain, except for Alice:

    <role name="AlmostAllTechnicians">

    <include>

    <group name="Domain Users@ACME"/>

    </include>

    <exclude>

    <user name="Alice@ACME"/>

    </exclude>

    </role>

    Note: It is a property of Active Directory that all users belong to the Domain Users group.

  5. Allow Dave and Alice in the APEX domain, and Carol in the ACME domain:

    <role name="Unqualified">

    <include>

    <user name="Alice@APEX"/>

    <user name="Dave@APEX"/>

    <user name="Carol"/>

    </include>

    </role>

    Note: The default domain of the role above is ACME.

  6. Allow all technicians, except those who may be unqualified:

    <role name="QualifiedTechnicians">

    <include>

    <role name="AllTechnicians"/>

    </include>

    <exclude>

    <role name="Unqualified"/>

    </exclude>

    </role>

include

List of groups, users or roles that are members of a given role.

Note: At least one user, group or role element must be present.

Table 3: Elements: include

Element

Required

Description

<group>

Optional

Active Directory group to be included as a member of a given role

<role>

Optional

Role to be included as a member of a given role

<user>

Optional

Active Directory user to be included as a member of a given role

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating