Empowering Security Policies with Rules Packages in ZENworks Mobile Workspace

Empowering Security Policies with Rules Packages in ZENworks Mobile Workspace

Objective

This document provides information on how to configure and create contextual rules to modify access rights and security policies, on the fly, based on the mobile context and the user’s metadata in ZENworks Mobile Workspace.

Introduction

The ZENworks Mobile Workspace security server embeds a modified business rule engine (BRMS) called Drools to fit into workspace requirements. This engine enables you to define security policies that cannot be directly defined within ZENworks Mobile Workspace.

Concept Developed Within ZENworks Mobile Workspace





This concept is developed within ZENworks Mobile Workspace. Firstly, to create an input request context in the server configuration, the application gathers all the information from the device, and then developers or business analysts create rules based on this context to modify security policies and access rights, on the fly.


Developing Contextual Rules

Contextual rules are developed using the attributes/objects of the conditional and action elements.

Available Conditional Elements

This section lists the objects whose attributes are used to take a decision.

  • User information model

  • Mobile context model

  • Time context model

  • Location context model

  • Network context model


For more information on these attributes, click here.

Available Action Elements

This section lists the objects whose attributes are modified depending on the condition.

  • Session configuration

  • Security policies configuration

  • Access control configuration


For more information on the attributes, click here.

Development Tool and Language

Drools Rule Language (DRL) is used to develop the contextual rule.  Drools Workbench is a developer friendly interface that can be used to create and edit contextual rules.

For more information on Drools Rule Language and Drools Workbench, click here.

Sample Contextual Rule

The sample rule displayed below is developed using conditional elements of the Time context model. The defined action elements will restrict access to the ZENworks Mobile Workspace app. Access is granted during working hours and access is denied during non-working hours. The content of the samplerule.drl is as follows:
package ch.sysmosoft.drool;

//generate from Decision table
import ch.sysmosoft.sense.common.model.RulesCalendar;
import ch.sysmosoft.sense.common.model.SessionContextHolder;
import ch.sysmosoft.sense.common.enums.AccessDeniedReason;

//rule values at A10, header at A5
rule "Morning"
when
session:SessionContextHolder(this != null)
calendar:RulesCalendar(weekday == true)
    eval(calendar.isInInterval("07:00", "12:00"))
then
    session.setAccessGranted(true);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A11, header at A5
rule "Lunch"
when
session:SessionContextHolder(this != null)
calendar:RulesCalendar(weekday == true)
eval(calendar.isInInterval("12:00", "13:30"))
then
session.setAccessGranted(false);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A12, header at A5
rule "Afternoon"
when
session:SessionContextHolder(this != null)
calendar:RulesCalendar(weekday == true)
eval(calendar.isInInterval("13:30", "17:30"))
then
session.setAccessGranted(true);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A13, header at A5
rule "Night"
when 
      session:SessionContextHolder(this != null)
    calendar:RulesCalendar(weekday == true)
    eval(calendar.isInInterval("17:30", "07:00"))
then 
      session.setAccessGranted(false);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

//rule values at A14, header at A5
rule "Weekend"
when
        session:SessionContextHolder(this != null)
    calendar:RulesCalendar(weekday == false)
then
session.setAccessGranted(false);
session.setAccessDeniedReason(AccessDeniedReason.NO_REASON);
end

 

Configuring and Enabling Contextual Rules in ZENworks Mobile Workspace

  1. Log into the security server web console as an administrator.

  2. Navigate to GENERAL > Contextual rules. The Contextual rules configuration page is displayed.




Defining a Contextual Rule

  • Click on Create (+) icon to create a rule. The following screen is displayed.




  • Specify the Name and Version of the file.

  • Upload a DRL file by clicking the Choose File button.

  • Click the Create button. A rule is created with the specified name and it can be assigned to a security group


 

Enabling Contextual Rules

Follow the steps below to assign a contextual rule to a security setting:

  1. In the same web console window (logged in as the Administrator), click GENERAL> Security settings.

  2. Click on the Edit (Pen) icon against the Security setting for which the contextual rule has to be assigned.

  3. In the Edit Security Settings page, below the Rules Package section, select the checkbox to enable rules execution and select the rule that has to be executed for this security setting.

  4. Click the Update button to save the changes.


The assigned contextual rule is applied on the ZENworks Mobile Workspace app for the users associated with the Security group to which this Security setting is mapped.

For more information on Security Group and Security Settings click here.

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2019-01-24 14:51
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.