4.3 Configuring the Security Policy Object

When you install and configure NMAS, a Security container is created and a Security Policy object is created in the Security container. The Security Policy object allows you to create, view, and rename names for clearances, security labels and categories for your NMAS implementation. You can then use these names to assign the security labels to any eDirectory attribute or NetWare volumes. You can also assign clearances to User objects in your eDirectory tree from the user's property page.

Authorized and default clearances can be assigned to a user, a container, a partition root, or the login policy object. NMAS searches for the authorized or default authorized and default clearances for a user by attempting to read the attributes from first the User object, then the container of the user object, then the partition root of the user object, and finally the login policy object.

The clearances assigned to the User object supersede any clearances assigned to the container, partition root, or login policy object. If a clearance has been assigned to a partition root, that clearance applies to all the users under that partition root only if a clearance has not already been individually assigned to specific users.

Also, a clearance assigned to a container applies only to the users with unassigned clearances in that container, and not to the users in subcontainers of that container.

4.3.1 Defining User-Defined Categories (Closed User Groups)

You can define secrecy and integrity categories that can be used to create security labels in addition to the three integrity and three secrecy categories (Biometric, Token, Password) that are predefined. For example, Biometric integrity and secrecy categories represent that access to an object is restricted to users logging in with a biometric method.

After you have created a category, you cannot delete it. You can view or rename it.

Using ConsoleOne to Create a New Category

  1. In ConsoleOne, double-click the Security container, then click Security Policy.

  2. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  3. Click Add, then specify a name for the category.

  4. Click OK.

The new category is now available for use in defining a security label.

Using iManager to Create a New Category

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  4. Click Add, specify a name for the category, then click OK.

  5. Click OK or Apply.

Using ConsoleOne to Rename a Category

  1. In ConsoleOne, double-click the Security container > click Security Policy.

  2. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  3. Select the category you want to rename, then click Rename Category.

  4. Specify the new name, click OK, then click OK or Apply.

Using iManager to Rename a Category

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click the Define Categories tab, then select either Secrecy Categories or Integrity Categories.

  4. Select the category you want to rename, then click Rename.

  5. Specify the new name, click OK, then click OK or Apply.

4.3.2 Defining Security Labels

NMAS provides eight security labels by default. Security labels are also used as single-level security clearances.

After you have created a security label, you cannot modify it or delete it. You can view its properties and rename it.

Using ConsoleOne to Create a New Security Label

  1. In ConsoleOne, double-click the Security container, then click Security Policy.

  2. Click Define Labels.

  3. Click New Label, then specify a name for the label.

  4. Assign integrity and secrecy categories to the new label by using the horizontal arrows.

  5. Click OK.

Using iManager to Create a New Security Label

  1. In iManager, click Directory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click Define Labels.

  4. Click New, specify a name for the label, then click OK.

  5. Assign integrity and secrecy categories to the new label by using the horizontal arrows.

  6. Click OK or Apply.

Using ConsoleOne to Rename a Security Label

  1. In ConsoleOne, select a label from the Defined Security Labels drop-down list.

  2. Click Rename Label.

  3. Specify a new name for the label.

  4. Click OK.

Using iManager to Rename a Security Label

  1. In iManager, click Directory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click Define Labels.

  4. Select a label from the Defined Security Labels drop-down list.

  5. Click Rename.

  6. Specify a new name for the label, then click OK.

  7. Click OK or Apply.

4.3.3 Defining Clearances

When you create a clearance, you select two labels, a Read label and a Write label. The Read label must dominate or be equal to the Write label. In fact, when creating a security clearance, you won't have the option to select a Write label that dominates the Read label.

For example, the Password & Token security label has dominance over the Password security label, so you could select the Password & Token label as your Read label and the Password label for your Write label.

You can also define your own security clearances to meet your company's authentication needs.

After you have created a clearance, you cannot modify it or delete it. You can view its properties and rename it.

Using ConsoleOne to Create a New Clearance

  1. In ConsoleOne, double-click the Security container, then click Security Policy.

  2. Click the Clearances tab > Definition.

  3. Click New Clearance, then specify a name for the clearance.

  4. Select a security label from the Read label drop-down list.

    This label is the Read label for this clearance. You must select a Read label before you can select a Write label.

  5. Select a security label from the Write label drop-down list.

    This label is the Write label for this clearance. You can't select a Write label that has greater dominance than the Read label.

  6. Click OK or Apply.

Using iManager to Create a New Clearance

  1. In iManager, click Directory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click the Clearances tab.

  4. Click New, specify a name for the clearance, then click OK.

  5. Select a security label from the Read label drop-down list.

    This label is the Read label for this clearance. You must select a Read label before you can select a Write label.

  6. Select a security label from the Write label drop-down list.

    This label is the Write label for this clearance. You can't select a Write label that has greater dominance than the Read label.

  7. Click OK or Apply.

Using ConsoleOne to View the Properties of a Clearance

  1. In ConsoleOne, select a clearance from the Clearance drop-down list.

    You can see the Read and Write labels that are used to define the clearance.

Using iManager to View the Properties of a Clearance

  1. In iManager, click Directory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click the Clearances tab.

  4. Select a clearance from the Default Clearance drop-down list.

    The Read and Write labels that are used to define the clearance are displayed.

Using ConsoleOne to Rename a Clearance

  1. In ConsoleOne, select a clearance from the Default Clearance drop-down list.

  2. Click Rename Clearance.

  3. Specify the new name for the clearance.

  4. Click OK.

Using iManager to Rename a Clearance

  1. In iManager, click Directory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click the Clearances tab.

  4. Select a clearance from the Default Clearance drop-down list.

  5. Click Rename.

  6. Specify the new name for the clearance, then click OK.

  7. Click OK or Apply.

4.3.4 Viewing Security Clearance Access

A quick way to determine the access rights a clearance allows to objects assigned to a particular label is to view the Access page (Click Clearance > Access). This page tells you the clearance that a user needs for Read and Write access, Read-only access, and No access to information and resources with a specific label.

To use ConsoleOne to view the access rights for a clearance:

  1. In ConsoleOne, double-click the Security container, then click Security Policy.

  2. Click the Clearances tab > Access.

  3. Select a clearance from the Clearance drop-down box.

    Each defined label is grouped by the access the clearance has to the labeled object.

To use iManager to view the access rights for a clearance:

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse for and select the Security container, select Security Policy, then click OK.

  3. Click the Clearances tab > Access.

  4. Select a clearance from the Clearance drop-down box.

    Each defined label is grouped by the access the clearance has to the labeled object.