An enterprise can have one or more security domains; each security domain has a security policy associated with it. The Enterprise Security installation automatically creates a root organization and a default domain. The default domain contains the root organization, and a predefined security policy is associated with the default domain.
In each domain, you can create one or more suborganizations to represent the departments within your organization—see “Managing organizations and suborganizations”.
Table 5-1 describes the permissions you must have to manage security domains.
Action |
Permissions required |
|---|---|
Create a security domain. |
WRITE on the domain controlling asset in the domain that contains the root organization. |
List the properties of a security domain. |
LIST on the domain controlling asset. |
Update the properties of a security domain. |
READ and UPDATE on the domain controlling asset. |
List the organizations in a security domain. |
LIST on the organization controlling asset. |
Delete a security domain. |
READ and DELETE on the domain controlling asset. |
Creating a security domain
In the left pane of Enterprise Security Manager, under Configure, select Domains, and click New.
In the Create New Security Domain dialog box, enter:
Domain Name – the name of the new domain.
Domain Policy Name – select the name of the class that implements the security policy. The com.sybase.ep.security.policy.impl.DefaultDomainAssets class implements the default policy.
For information about implementing a new security policy, see “Managing security policies”.
Editing a security domain
To edit the domain name, domain policy name, or domain description:
In the middle pane of Enterprise Security Manager, highlight the domain you want to edit. In the right pane, right-click and select Edit Domain.
In the Edit Domain dialog box, edit the values you want to change, and click OK.
Configuring general properties for a security domain
In the middle pane of Enterprise Security Manager, highlight the domain you want to configure. In the right pane, right-click and select Configure General Properties.
In the Configure Domain General Properties dialog box, enter these values, then click OK:
Domain Property Refresh Time Interval – the number of seconds that define how often the system refreshes the domain-specific properties by reading their values from the ACDB.
Enable Auditing – select to enable auditing for the domain. To specify which events to audit, see “Defining which events to audit using Enterprise Security Manager”.
If you do not enable auditing, you need not enter the remaining audit-related values.
Suspend Auditing When Unable to Log Audit Messages – select to turn off auditing when a system problem prevents logging the auditing information. Selecting this property prevents a failure in the auditing module itself from causing a transaction to roll back.
If the auditing system fails because a domain property is configured incorrectly, you may need to reset the domain properties to their default values—see domainrules.
Include User’s DN in Audit Records – select to include the subject DN in audit records.
Notify Audit Events – select to send notifications of audited events to a JMS message topic.
WARNING! Do not select Notify Audit Events until after you set up both the message service and the message topic in your application server; otherwise, you will not be able to log in to Enterprise Portal—see “Setting up JMS auditing notifications for EAServer”.
Configuring lock manager properties for a security domain
In the middle pane of Enterprise Security Manager, highlight the domain you want to configure. In the right pane, right-click and select Configure Lock Manager.
In the Configure Domain Lock Manager Properties dialog box, enter these values, then click OK:
Enable Login Lock – select to enable the system to lock out users after a specified number of invalid login attempts.
Allowed Invalid Login Attempts – the number of invalid login attempts users are allowed before they are locked out of the system.
Login Lockout Duration – the duration of the lockout. Select one of:
Permanent Lock – account remains locked until an administrator unlocks it.
Minutes – account remains locked for the specified number of minutes.
Reset Login Lockout Counter After – the number of minutes during which the number of invalid access attempts are counted. For example, if you set this property to “60” and Allowed Invalid Access Attempts to “3,” then 3 invalid access attempts within 60 minutes locks your account. If only 2 invalid access attempts occur within 60 minutes, the counter is reset to zero at the end of 60 minutes. A subsequent invalid access attempt is counted as the first, not the third.
Successful Login Clears Invalid Attempt History – select to delete information about invalid login attempts when users successfully log in.
Enable Authorization Lock – select to lock out users after a specified number of attempts to access a security object for which they do not have access permission.
Allowed Invalid Access Attempts – the number of invalid access attempts users are allowed before they are locked out of the system.
Authorization Lockout Duration – the duration of the lockout. Select one of:
Permanent Lock – authorization remains locked until an administrator unlocks it.
Minutes – authorization remains locked for the specified number of minutes.
Reset Authorization Lockout Counter After – the number of minutes during which unauthorized attempts to access security objects are counted.
Terminate Session When Authorization is Locked – select to terminate users’ sessions when their authorization is locked.
Lock Login Ability When Authorization is Locked – select to prevent users from logging in when their authorization is locked. If you select this option, you must also select Enable Login Lock.
Configuring password properties for a security domain
In the middle pane of Enterprise Security Manager, highlight the domain you want to configure. In the right pane, right-click and select Configure Password Properties.
In the Configure Domain Password Properties dialog box, enter these values, then click OK:
Password Duration – the number of days that passwords remain valid. The default is 0, which means passwords are valid indefinitely.
Time Window to Change Expired Password – the number of days after passwords expire that users are allowed to change their passwords. The default is 0, which means that users cannot change their passwords after they expire.
Enable Password Strength Verification – select to enable password verification using an existing password validation component—see “Verifying passwords”.
Configuring account properties for a security domain
In the middle pane of Enterprise Security Manager, highlight the domain you want to configure. In the right pane, right-click, and select Configure Account Properties.
In the Configure Domain Account Properties dialog box, enter these values, then click OK:
Account Expires After Inactivity Duration – the number of days that an inactive account remains valid. The default is 0, which means inactive accounts remain valid indefinitely.
Account Expires After Duration – the number of days that any account (active or inactive) remains valid. The default is 0, which means all accounts remain valid indefinitely.
Registering a security policy
Registering a security policy does not assign the policy to a specific domain.
In the middle pane of Enterprise Security Manager, highlight All Domains. In the right pane, right-click, and select Register Policy.
In the Register Policy dialog box, enter the name of the class that implements the security policy. For example, the name of the class that implements the default security policy is com.sybase.ep.security.policy.impl.DomainAssetsPolicy.
Restart the application server.
To apply this security policy to a domain, edit the domain, and set Domain Policy Name to the class name you specified in step 2—see “Editing a security domain”.
Listing the organizations in a security domain
In the middle pane of Enterprise Security Manager, highlight the domain you want to configure. In the right pane, right-click, and select List Organizations.
The dialog box that opens displays a list of the organizations in the current domain.
