Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 80

You need to decide on the type of Authorization policy you want to create. For example, you can
create a Deny policy that denies access to everyone who does not match the condition (in this case,
the Sales role). Or you can create a two-rule policy that allows access to everyone that matches the
condition. The first rule grants access to everyone who has the Sales role, and the second rule denies
access to everyone who did not match the conditions of the first rule. (Other methods are also
possible.) Because the proposed Deny policy is very similar to the
the following procedures explain how to create the two-rule policy.
1 In the Administration Console, click Policies > Policies > New.
2 Specify a name for the policy, select Access Gateway: Authorization as the type, then click OK.
3 (Optional) Provide a description for the rule.
4 In Condition Group 1, click New, and select Roles.
5 Fill in the following fields:
If/If Not: Select If.
Roles: Select [Current].
Comparison: Select String: Equals.
Mode: Select Case Insensitive
Value: Select Roles, then select Sales.
Result on Condition Error: Select False.
6 Under Actions, select Permit, then click OK.
These steps create the Permit rule and set up the condition so that the following occurs:
When the user does not match the condition because the user does not belong to the Sales
role, the policy engine moves to the next rule in the policy.
When the user does match the condition because the user belongs to the Sales role, the
user is granted access.
If an error occurs when evaluating the condition of the policy, the user does not match the
condition and the policy engine moves to the next rule in the policy.
7 In the Rule List, click New.
This second rule is for denying access to everyone who does not match the condition in Rule 1.
Processing of the policy stops when a user matches a rule; therefore all users who match Rule 1
are granted access and the policy engine does not evaluate the second rule.
8 Set the Priority to be 2 or greater.
You want the Permit rule to be processed first, so it should have a priority of 1. The Deny rule
needs to be processed last, so it needs a lower priority than the Permit rule.
9 Leave the Condition Group 1 empty.
The Conditions section is left empty so that everyone who does not match the conditions of the
Permit rule is denied access to the resource.
10 In the Actions section, select Deny and either accept the default action or select one of the other
actions.
11 Click OK twice.
80 Novell Access Manager 3.1 SP2 Policy Guide
LDAP Context Policies example,