Setting Up a Group Membership Check in Access Manager

Setting Up a Group Membership Check in Access Manager

Problem



A Forum reader recently asked:

"I'm trying to set up a reverse proxy with authentication to an eDirectory group. I want to check to see if the user is a member of a group. I have this set up on iChain, but I can't figure out how to do it in Access Manager."

And here is the response from Ben Fjelsted ...

Solution



To base access on LDAP groups, you must first make an "Identity Server: Role" policy for the LDAP group that the user is in. Then you can use that role in a "Access Gateway: Authorization" policy.

Here is an example policy set, exported from one of my configurations. It basically says that:

If LDAP Group: [Current]
Comparison: LDAP Group: Is Member of
Value: LDAP Group: cn=sales,o=novell
Result on Condition Error: False

Do Activate Role:
sales_role

Then it uses this role for the Authorization policy "deny_but_sales".

Remember to enable the role in the Identity Server Configuration under [configuration name] > General > Roles.


<?xml version="1.0" encoding="UTF-8"?>
<!--Sample XML file generated by XMLSpy v2005 rel. 3 U
(http://www.altova.com)-->
<NxpeService xmlns:xpeml="urn:novell:schema:xpeml:1.34:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="./nxpeService.xsd" Revision="0.1">
<xpeml:PolicyCollection schemaVersion="1.34">
<xpeml:PoliciesDefinitionList LastModified="4294967295"
LastModifiedBy="String">
<xpeml:Policy Enable="true"
UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1189184590095"
Category="" Name="deny_but_sales" LastModified="1189184619087"
PolicyID="PolicyID_xpemlPEP_AGAuthorization_1189184590095"
DateCreated="4294967295" Description="" DateArchived="4294967295"
LastModifiedBy="cn=admin,o=novell">
<xpeml:PolicyEnforcementPointRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlPEP_AGAuthorization" />
<xpeml:ConfigurationUsageList />
<xpeml:Rule RuleID="RuleID_1189184590095" RuleOrder="1"
Enable="1" UserInterfaceID="RuleID_1189184590095"
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="1" Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlAction_Permit" />
</xpeml:Action>
</xpeml:ActionList>
<xpeml:ConditionList>
<xpeml:ConditionSet Enable="true" UserInterfaceID="1"
NOT="0" SetOrder="1">
<xpeml:Condition Enable="true" UserInterfaceID="1"
NOT="0" Order="1" ResultOnError="false">
<xpeml:ConditionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlCondition_string" />
<xpeml:OperatorRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="nxpeOperator_string-equals" />
<xpeml:LHSOperand Value="">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_CurrentRoles" />
</xpeml:LHSOperand>
<xpeml:RHSOperand Value="sales_role">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_SelectedRole" />
</xpeml:RHSOperand>
<xpeml:InstanceParameterList>
<xpeml:Parameter Value="case-sensitive"
UserInterfaceID="case-sensitive" EnumerativeValue="1" Name="flags">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="case-sensitive" />
</xpeml:Parameter>
</xpeml:InstanceParameterList>
</xpeml:Condition>
</xpeml:ConditionSet>
</xpeml:ConditionList>
</xpeml:Rule>
<xpeml:Rule RuleID="RuleID_1189184607928" RuleOrder="1"
Enable="true" UserInterfaceID="RuleID_1189184607928"
ConditionCombiningAlgorithm="DNF" Description="" Priority="9">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="1" Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlAction_Deny" />
<xpeml:InstanceParameterList>
<xpeml:ParameterGroup UserInterfaceID="DenyParameters"
EnumerativeValue="2621" GroupName="DenyParameters" Order="1">
<xpeml:Choice
UserInterfaceID="ChoiceID_10_1189184609553" EnumerativeValue="10"
Enabled="false" ChoiceName="DefaultBlockPage" Order="1" />
<xpeml:Choice
UserInterfaceID="ChoiceID_20_1189184609553" EnumerativeValue="20"
Enabled="true" ChoiceName="SendBlockMessage" Order="2">
<xpeml:Parameter
Value="You%20must%20be%20in%20the%20Sales%20group%20to%20access%20this%20resource."
UserInterfaceID="ParameterID_1_1189184609553" EnumerativeValue="1"
Name="Message" />
</xpeml:Choice>
<xpeml:Choice
UserInterfaceID="ChoiceID_30_1189184609554" EnumerativeValue="30"
Enabled="false" ChoiceName="RedirectToLocation" Order="3">
<xpeml:Parameter Value=""
UserInterfaceID="ParameterID_1_1189184609554" EnumerativeValue="1"
Name="Redirect" />
</xpeml:Choice>
</xpeml:ParameterGroup>
</xpeml:InstanceParameterList>
</xpeml:Action>
</xpeml:ActionList>
</xpeml:Rule>
</xpeml:Policy>
<xpeml:Policy Enable="true"
UserInterfaceID="PolicyID_xpemlPEP_IDPRoles_1189184509646" Category=""
Name="sales_role" LastModified="1189199771488"
PolicyID="PolicyID_xpemlPEP_IDPRoles_1189184509646"
DateCreated="4294967295" Description="" DateArchived="4294967295"
LastModifiedBy="cn=admin,o=novell">
<xpeml:PolicyEnforcementPointRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlPEP_IDPRoles" />
<xpeml:ConfigurationUsageList />
<xpeml:Rule RuleID="RuleID_1189184509646" RuleOrder="1"
Enable="1" UserInterfaceID="RuleID_1189184509646"
ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="ActionID_1189184510593"
Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlAction_AddRole" />
<xpeml:InstanceParameterList>
<xpeml:Parameter Value="sales_role"
UserInterfaceID="AdditionalRole" EnumerativeValue="6601"
Name="AdditionalRole" />
</xpeml:InstanceParameterList>
</xpeml:Action>
</xpeml:ActionList>
<xpeml:ConditionList>
<xpeml:ConditionSet Enable="true" UserInterfaceID="1"
NOT="0" SetOrder="1">
<xpeml:Condition Enable="true" UserInterfaceID="1"
NOT="0" Order="1" ResultOnError="false">
<xpeml:ConditionRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlCondition_ldap-group" />
<xpeml:OperatorRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="nxpeOperator_ldap-group-is-member-of" />
<xpeml:LHSOperand Value="">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_LdapGroup" />
</xpeml:LHSOperand>
<xpeml:RHSOperand Value="cn%3Dsales%2Co%3Dnovell">
<xpeml:ContextDataElementRef
ElementRefType="ExternalWithIDRef"
ExternalDocRef="IDPRoles-default:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlContextDataElement_SelectedLdapGroup" />
</xpeml:RHSOperand>
</xpeml:Condition>
</xpeml:ConditionSet>
</xpeml:ConditionList>
</xpeml:Rule>
</xpeml:Policy>
</xpeml:PoliciesDefinitionList>
</xpeml:PolicyCollection>
</NxpeService>

Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:09
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.