Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 175

The first log entry is the request to evaluate the policy. The second log entry is the evaluation of the
policy. The third log entry is the response that is returned. These three log entries can be tied
together by using the following tags:
AMDEVICEID#esp-2FA73CE1A376FD91: When a policy evaluation request is made, the same
Embedded Service Provider processes the request. Even if the Access Gateways are clustered, the
policy evaluation request stays with the Access Gateway that initiated the request.
PolicyID#459O8443-N8P5-KO21-68OM-K172P107N4O5: Each policy is assigned a unique ID,
and this is the ID assigned to the policy called Title_auth in the Administration Console. To search
for all log entries for a policy, use the policy ID. To search for log entries that evaluate the policy,
use the policy name.
AMAUTHID#838976482579AF372C31C47274E9CB28: The request to evaluate a policy does
not contain the ID of the user the request is being made for, but the log entries for the evaluation and
for the response status always contain the ID of an authenticated user. If the policy can be evaluated
without the user being authenticated, these entries do not contain the ID of the user. This kind of
policy might be assigned to a public resource (no authentication required) and use the time of day
condition or day of the week condition for its evaluation criteria. See
Does Not Require Authentication" on page
When the Protected Resource Does Not Require Authentication
The following trace is for an Authorization policy that uses data that is available without
authentication. Authorization policies support a number of these conditions, such as Current Date,
Current Day of Week, Current Day of Month, Current Time Of Day, Client IP, and the URL
conditions. As long as you do not select to compare what is currently in the HTTP request with a
value that requires authentication (such as LDAP attribute), the Authorization policy can be
evaluated for an unauthenticated user. The following trace is for a policy with a Current Time of Day
condition. The protected resource does not require authentication, so everyone can access the
resource if their request comes in between 8:00 am and 5:30 pm, local time.
<amLogEntry> 2009-08-03T16:30:48Z INFO NIDS Application: AM#501101050:
AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#216660PM-429P-O660-N25N-
L58L08MN4N5M: NXPESID#4515: Evaluating policy </amLogEntry>
<amLogEntry> 2009-08-03T16:30:48Z INFO NIDS Application: AM#501102050:
AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#216660PM-429P-O660-N25N-
L58L08MN4N5M: NXPESID#4515: AGAuthorization Policy Trace:
~~RL~1~~~~Rule Count: 2~~Success(0)
~~RU~RuleID_1186082720202~time_of_day~DNF~~1:1~~Success(0)
~~CS~1~~ANDs~~1~~True(69)
~~CO~0~TimeOfDay(1005):::Fri Aug 03 10:30:48 MDT
2007(9:30):~com.novell.nxpe.condition.NxpeOperator@time-in-
range~(0)::::~~~True(69)
~~PA~1~~Permit Access~~~~Success(0)
~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherCon
tainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerConta
iner,o=novell:romaContentCollectionXMLDoc),Policy=(time_of_day),Rule=(1::Rule
ID_1186082720202),Action=(Permit::1)~~~~Success(0)
</amLogEntry>
<amLogEntry> 2009-08-03T16:30:48Z INFO NIDS Application: AM#501101021:
AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#216660PM-429P-O660-N25N-
L58L08MN4N5M: NXPESID#4515: Response sent: Status - success </amLogEntry>
175.
Troubleshooting Access Manager Policies 175
"When the Protected Resource