Table Of Contents
Preface
Objective
What's New
Audience
Document Organization
Document Conventions
Related Documentation
Changes to This Document
Obtaining Documentation and Submitting a Service Request
Preface
This preface explains the objectives, intended audience, and organization of the Cisco Enterprise Policy Manager User Guide and describes the conventions that convey instructions and other information.
The preface contains the following sections:
•Objective
•Audience
•Document Organization
•Document Conventions
•Related Documentation
•Changes to This Document
•Obtaining Documentation and Submitting a Service Request
Objective
Enterprises are facing enormous pressure to simultaneously protect sensitive data and meet compliance requirements, increase business process efficiencies, and bring new revenue-generating services to market within very limited time and cost constraints. Policy-based access control is a critical component of security and compliance efforts, and it can reduce the costs and complexity of securely managing and auditing access privileges.
In most dynamic business organizations, critical information and resources, such as financial data, confidential records, and web services reside on distributed servers, each having its own unique set of users, access policies, and administrative parameters. Additionally, business resources are being exposed to a wider range of users whose roles and entitlements are dynamic and frequently changing.
Multiplied across a large enterprise, this creates an environment that is highly complex to systematically and securely administer. The solution to this problem is entitlement management: the application of policy-based, fine-grained access control.
The Cisco Enterprise Policy Manager (CEPM) is a scalable, standards-based product for managing entitlements. The PDP leverages and extends the already deployed application and security infrastructure, including existing identity management solutions or repositories.
A structured approach to the architecture of CEPM exposes the rationale for entitlement management by creating policies randomly clustered with policy attributes and encapsulated rules on the resources of your application.
This document describes in detail the various functionalities provided by the administration console to configure the entitlement mechanism for your applications.
What's New
•Enhanced policy migrations—CEPM now supports selective export of any data in the entitlement repository. Export can be performed for selected entities and entity types that are available in Home > Manage Entities > Import/Export page.
•Rules can be reused or shared—CEPM now supports configuring simple and complex rules that you can reuse and share. Existing rules can be used in multiple policies. In addition to this, rules can also be shared or referenced in other rules.
•Status Bar in PAP—CEPM displays a progress bar for PAP features that take a long time to complete. For example, import, export, create repository, and so on.
•Regular expressions in Rule Editor—CEPM now enables the PAP Administrator to configure rules using regular expression in the Rule Editor.
•Enhanced encryption capabilities—The PAP administrator can make use of an external encryption scheme other than the default encryption facility provided by CEPM. As a PAP administrator, you can plug in third-party crypto modules into CEPM.
•Sybase PIP—CEPM supports Sybase database as a PIP (Policy Information Point). Sybase can be selected from the list of databases while creating a PIP in Home > System Config > External Attribute Sources > Application Attribute Sources page.
•Enable logs for resources—Logging in CEPM can now be done at the resource level. While creating or updating a resource, logging can be enabled by selecting the `Enable XACML Logs' check box.
•Simplified Search functionality—The Search Entity functionality for users, roles, or groups in the PAP UI is simplified. Entity types can be set as a search criteria for searching an entity.
•Mandatory Attributes for Entities—While creating an entity type (resource, role, group, etc.) the attributes can be marked as mandatory. For example, if a usertype `Analyst' has an attribute called `Age' which is marked as mandatory, then `Age' must be provided while creating a user of type `Analyst'.
•Sorting of application and resources names—Applications and resources are displayed in alphabetical order in the resource tree. This is a default functionality, and user cannot change the resource order.
•Viewing Allowed Resources for User and Role—CEPM enables viewing of `only allowed resources' for a user/group/role while auditing. For example, to view only allowed resources for a user, go to Home > Auditing & Reporting > Audit Entitlements > User page and select Only-Allowed-Resource from the Entitlement Type drop-down.
•Enumerate resource type attributes—`Null' can be set as the default value while enumerating an entity type attribute. For example, a usertype `Guest' has an attribute called `ID' of type enum with values 30, or 31. While creating a user of type `Guest', `ID' can be set to null (blank), 30, or 31.
•Policy lookup—The CEPM PDP can now store policies applicable to a request in a readily accessible manner. Policies applicable to a combination of subject, role bundle, context, and resource are stored in the policy or ACL table for easy lookup of the PDP. Policy administrators may start (and update) the policy table independent of a request processed by the PDP.
Audience
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
Document Organization
This guide contains the following chapters and appendixes:
•Chapter 1, "Cisco Enterprise Policy Manager"
•Chapter 2, "Overview of the PAP Console"
•Chapter 3, "Login Page and Home Page"
•Chapter 4, "Manage Entities"
•Chapter 5, "Manage Entitlements"
•Chapter 6, "Auditing and Reporting"
•Chapter 7, "System Config"
•Chapter 8, "Delegated Administration"
•Appendix B, "PAP User Login Authentication Using LDAP and SSO"
•Appendix A, "Policy Combining Algorithm and Obligation"
•Appendix C, "Open Source License Acknowledgements"
Document Conventions
Caution Means
reader be careful. You are capable of doing something that might result in equipment damage or loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.
Related Documentation
Following documents are available with this release:
Table 1 List of Documents available with CEPM V3.3.0.0
Documentation Title
|
Description and Location of the Document in Cisco.com
|
CEPM Installation & Configuration Guide
|
Provides step-by-step instructions on how to install CEPM Components, such as Policy Administration Point (PAP) and Policy Decision Point (PDP), in various supported combinations of operating system, database, and application server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Installation_Guide/Install_and_Config_Guide/CEPM_Install_and_Config_Guide.html
|
CEPM Quickstart Guide
|
Provides a quick, step-by-step procedure for starting up and using CEPM. This guide also walks you through the setup of a basic application and its resources, the securing of its resources with policies, and the testing of those policies.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Quick_Start_Guide/CEPM_Quick_Start_Guide.html
|
CEPM Concept Guide
|
Provides general information on CEPM architecture and entitlement management.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Concept_Guide/CEPM_Concept_Guide.html
|
CEPM Capacity Planning Guide
|
Discusses the different deployment options that are possible using CEPM. It also recommends the database size depending on the parameters of the application that is being protected by CEPM.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Capacity_Planning_Guide/CEPM_Capacity_Planning_Guide.html
|
CEPM Resource Models
|
Describes concepts related to basic policy-based application entitlement which ensures that a subject accessing a resource (or invoking an action on a resource) is allowed or denied, based on attributes-based rules.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Guide/Resource_Models/CEPM_Resource_Models.html
|
CEPM Java Developers Guide
|
Provides guidelines for using the Policy Enforcement Point (PEP) and PAP APIs, and provides instructions for configuring the PEP agent and Java Server Page (JSP) tag libraries.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Developer_Guide/Java_Developer_Guide/CEPM_Java_Developer_Guide.html
|
CEPM Dotnet Developers Guide
|
Provides guidelines for using the PEP and PAP APIs, and provides instructions for configuring the PEP agent for dotnet applications.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Developer_Guide/DotNet_Developer_Guide/CEPM_DotNet_Developer_Guide.html
|
CEPM PAP Configurations Guide
|
Provides guidelines to configure the PAP configuration parameters available in the pap_config.xml file.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/PAP_Configuration_Guide/CEPM_PAP_Configuration_Guide.html
|
CEPM PDP Configurations Guide
|
Provides guidelines to configure the PDP configuration parameters available in the pdp_config.xml file.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/PDP_Configuration_Guide/EPMPDPConfigs_chap.html
|
CEPM PEP Configurations Guide
|
Provides guidelines to configure the PEP configuration parameters available in the pep_config.xml file.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/PEP_Configuration_Guide/EPMPEPConfigs_chap.html
|
CEPM Inprocess PDP Deployment Guide
|
Provides guidelines for deployment of CEPM In-Process PDP in the stand-alone client-side applications.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Configuration_Guide/In_Process_PDP/EPMInPDPDeploy_chap.html
|
CEPM Dotnet Agent Guide
|
Provides step-by-step instructions to deploy the CEPM Dotnet Agent used by any .NET based application (either a desktop or a web-based application). It also describes about a COM-wrapped agent, which is supported for VB, C++, and other Windows-based applications.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/Dotnet_Agent/CEPM_Dotnet_Agent_Guide.html
|
CEPM SharePoint Agent Guide
|
Provides a step-by-step procedure to install CEPM SharePoint Agent and integrate the Policy Administration Point (PAP) with your web applications running on SharePoint Server 2007.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/SharePoint_Agent/CEPM_SharePoint_Agent_Guide.html
|
CEPM SSPI Agent Guide
|
Provides guidelines for the deployment of the CEPM SSPI Agent and explains the features supported by CEPM customized authorization provider for applications running in the WebLogic (BEA WebLogic V9.2).
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/SSPI_Agent/EPMSSPIAgt_chap.html
|
CEPM JACC Agent For JBOSS Portal Guide
|
Explains about how the CEPM JACC Agent for JBOSS Portal helps in implementing the fine-grained authorization decisions for portal applications developed using JBOSS Portal.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JACC_JBOSS_Agent/EPMJACCAgtJB_chap.html
|
CEPM JACC WAS Agent Guide
|
Explains about how the CEPM JACC Agent for WebSphere Application Server helps in implementing the fine-grained authorization decisions for web applications developed using WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JACC_WAS_Agent/CEPM_JACC_WAS_Agent.html
|
CEPM JAX-RPC Agent Guide
|
Provides an overview about the CEPM JAX-RPC Agent and explains the steps for configuring this agent in the applications running in WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JAX-RPC_Agent/CEPM_JAX_RPC_Agent_Guide.html
|
CEPM JAX-WS Agent Guide
|
Provides an overview about the CEPM JAX-WS Agent and explains the steps for configuring this agent in the applications running in WebSphere Application Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/JAX-WS_Agent/CEPM_JAX-WS_Agent_Guide.html
|
CEPM AXIS Agent Guide
|
Provides step-by-step instructions on how to integrate the CEPM Axis Agent with web applications using Axis webservice implementation for fine-grained access control.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/AXIS_Agent/EPMAxisAgt_chap.html
|
CEPM AXIS2 Agent Guide
|
Provides step-by-step instructions on how to integrate the CEPM Axis2 Agent with web applications using Axis2 webservice implementation for fine-grained access control.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/AXIS2_Agent/EPMAxisAgt_chap.html
|
CEPM ACEGI Agent Guide
|
Provides guidelines for deployment of the CEPM ACEGI Agent and explains the features of using CEPM customized ACEGI authorization solution for applications running in the Spring Framework.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/ACEGI_Agent/EPMACEGIAgt_chap.html
|
CEPM Spring Security2 Agent Guide
|
Provides guidelines for deployment of the CEPM Spring Security2 Agent and explains the features of using CEPM customized Spring Security2 authorization solution using the RoleVoter for applications running in the Spring Framework.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/Spring_Security2_Agent/EPMSSAgt_chap.html
|
CEPM XMLACCESS Agent Guide
|
Provides guidelines for deployment of the CEPM XMLAccess Agent and explains the features of using CEPM customized XMLAccess authorization solution for portal applications running in the WebSphere Portal Server.
Location on Cisco.com:
http://www.cisco.com/en/US/docs/security/epm/epm33/Agent/XML_ACCESS_Agent/EPMXMLAccessAgt_chap.html
|
Changes to This Document
Table 1 lists the changes made to this document since it was first released.
Table 2 Changes to This Document
Date
|
Change Summary
|
July 7, 2009
|
Minor edits and template/boilerplate updates for publication to Cisco.com
|
April 3, 2009
|
Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0
|
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.