Objective

This document provides information on how to configure and create contextual rules to modify access rights and security policies, on the fly, based on the mobile context and the user’s metadata in ZENworks Mobile Workspace.

Introduction

The ZENworks Mobile Workspace security server embeds a modified business rule engine (BRMS) called Drools to fit into workspace requirements. This engine enables you to define security policies that cannot be directly defined within ZENworks Mobile Workspace.

Concept Developed Within ZENworks Mobile Workspace





This concept is developed within ZENworks Mobile Workspace. Firstly, to create an input request context in the server configuration, the application gathers all the information from the device, and then developers or business analysts create rules based on this context to modify security policies and access rights, on the fly.


Developing Contextual Rules

Contextual rules are developed using the attributes/objects of the conditional and action elements.

Available Conditional Elements

This section lists the objects whose attributes are used to take a decision.

• User information model

• Mobile context model

• Time context model

• Location context model

• Network context model

For more information on these attributes, click here.

Available Action Elements

This section lists the objects whose attributes are modified depending on the condition.

• Session configuration

• Security policies configuration

• Access control configuration

For more information on the attributes, click here.

Development Tool and Language

Drools Rule Language (DRL) is used to develop the contextual rule.  Drools Workbench is a developer friendly interface that can be used to create and edit contextual rules.

For more information on Drools Rule Language and Drools Workbench, click here.

Sample Contextual Rule

The sample rule displayed below is developed using conditional elements of the Time context model. The defined action elements will restrict access to the ZENworks Mobile Workspace app. Access is granted during working hours and access is denied during non-working hours. The content of the samplerule.drl is as follows:

package ch.sysmosoft.drool;

//generate from Decision table
import ch.sysmosoft.sense.common.model.RulesCalendar;
import ch.sysmosoft.sense.common.model.SessionContextHolder;
import ch.sysmosoft.sense.common.enums.AccessDeniedReason;

//rule values at A10, header at A5
rule "Morning"
    when
        session:SessionContextHolder(this != null)
        calendar:RulesCalendar(weekday == true)
        eval(calendar.isInInterval("07:00", "12:00"))
    then
        session.setAccessGranted(true);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A11, header at A5
rule "Lunch"
    when
        session:SessionContextHolder(this != null)
        calendar:RulesCalendar(weekday == true)
        eval(calendar.isInInterval("12:00", "13:30"))
    then
       session.setAccessGranted(false);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A12, header at A5
rule "Afternoon"
   when
       session:SessionContextHolder(this != null)
       calendar:RulesCalendar(weekday == true)
       eval(calendar.isInInterval("13:30", "17:30"))
   then
       session.setAccessGranted(true);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A13, header at A5
rule "Night"
    when 
        session:SessionContextHolder(this != null)
        calendar:RulesCalendar(weekday == true)
        eval(calendar.isInInterval("17:30", "07:00"))
    then  
        session.setAccessGranted(false);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A14, header at A5
rule "Weekend"
    when
        session:SessionContextHolder(this != null)
        calendar:RulesCalendar(weekday == false)
    then
        session.setAccessGranted(false);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

 

Configuring and Enabling Contextual Rules in ZENworks Mobile Workspace

1. Log into the security server web console as an administrator.

• Navigate to GENERAL > Contextual rules. The Contextual rules configuration page is displayed.

Defining a Contextual Rule

• Click on Create ( ) icon to create a rule. The following screen is displayed.

• Specify the Name and Version of the file.

• Upload a DRL file by clicking the Choose File button.

• Click the Create button. A rule is created with the specified name and it can be assigned to a security group

 

Enabling Contextual Rules

Follow the steps below to assign a contextual rule to a security setting:

1. In the same web console window (logged in as the Administrator), click GENERAL> Security settings.

• Click on the Edit (Pen) icon against the Security setting for which the contextual rule has to be assigned.

• In the Edit Security Settings page, below the Rules Package section, select the checkbox to enable rules execution and select the rule that has to be executed for this security setting.

• Click the Update button to save the changes.

The assigned contextual rule is applied on the ZENworks Mobile Workspace app for the users associated with the Security group to which this Security setting is mapped.

For more information on Security Group and Security Settings click here.