SupportFeedbackLogin

Set up access controls

Policies

Policies are used to authorize users, they can contain all the conditions the user or situation needs to adhere to (by using Filters) and determine the result of the check.

A Policy can have the following outcomes that will be used in the authorization check (together with all the other policies a user might have):

  • Allow; this means this policy will allow access in the specified situation (as defined in the filters)

  • Deny; this means this policy will deny access in the specified situation (as defined in the filters)

  • Audit; this means the policy will explicitly be added to the audit log on either Info, Warning or Error level. This outcome will not contribute to the authorization decision.

  • Inconclusive; this means the policy does not contribute to the authorization decision. This outcome will mainly be used when grouping policies that are often used together.

A policy can contain child policies, which means that the policies added as child policies will be evaluated (as separate policies), whenever the ‘parent’ policy applies (regardless of the decision outcome).

A policy can contain multiple filters, to indicate if the policy is applicable. See the Filters section for more information about filters.

Roles

Roles are a special type of Policies. They are indicated by choosing the outcome / decision ‘Roles’. This will make an additional field available that will determine the role name that will be returned in the authentication response when a user logs in (if the user has this role assigned).

How to configure: A policy that allows access to everything

To configure a policy that allows access to everything for users who will have the policy:

  1. Open the Admin Portal

  2. Navigate to the Configuration section

  3. Go to Policies tab

  4. Click ‘Create Policy’ → ‘Create New Policy’

  5. Add a Policy Name (eg “Allow Policy”)

    1. Add an optional description

  6. Select Decision ‘Allow’

  7. Save the policy

The policy is now created and can be used to assign to (customer) Organizations, or add to an Access License.

How to configure: A policy that allows access to a specific application

To configure a policy that allows access to a specific application for users who will have the policy:

  1. Navigate to the Configuration section

  2. Go to the Filters tab

  3. Configure a filter for your application, see:

  4. Go to Policies tab

  5. Click ‘Create Policy’ → ‘Create New Policy’

  6. Add a Policy Name (eg with the application name)

    1. Add an optional description

  7. Select Decision ‘Allow’

  8. Go to Filters tab

  9. Add the (previously created) filter that checks for your application.

  10. Save the policy

The policy is now created and can be used to assign to (customer) Organizations, or add to an Access License.

How to configure: A role

If your applications relies on roles to determine the features a user has access to, you can configure roles that will be returned whenever a user logs in.

  1. Navigate to the Configuration section

  2. Go to Policies tab

  3. Click ‘Create Policy’ → ‘Create New Role’

  4. Add an Internal Role Name

    1. Add an optional description

  5. Add a Role Name to Return; this is the exact name that will be returned in the authentication response of a user.

  6. Save the role.

The role is now created and can be used to assign to (customer) Organizations, or add to an Access License. You can add as many roles as needed.

Filters

Filters are used in Policies to determine if the policy is applicable to the situation in which the authentication / authorization check happens. The filters describe the conditions that should match for the policy to be applicable.

Filters can contain multiple filter conditions and also include existing (nested) filters.

The filter conditions be checked with the following operators among the added filter conditions:

  • AND, means that all added filter conditions (and nested filters) need to apply for the filter to be applicable

  • OR, means that at least 1 of the added filter conditions (and nested filters) need to apply for the filter to be applicable

Each filter conditions consists of 3 parts:

  • An attribute, for which the value is checked against the rest of the condition

  • An operator, that describes what kind of check should be done. The operator depends on the type of attribute. For instance, a text attribute could have operators like equals, does not equal, contains and does not contain; and a date or time attribute could have operators like equal, before or after.

  • A value, against which the actual attribute value is checked.

See the examples below for how to configure specific situations.

How to configure: A filter that checks for a specific application

To configure a filter that checks for a specific application:

  1. Navigate to the Configuration section

  2. Go to Filters tab

  3. Click ‘Create Filter’

  4. Add a Filter Name (eg containing the application name)

    1. Add an optional description

  5. Go to the Filter Conditions tab

  6. Create a filter conditions for your application

    1. Select the ‘Application Name’ parameter

    2. Leave the operator or ‘Equal’

    3. Add your application name as configured in Veriam (in Configuration - Applications tab)

  7. In case you want to filter on multiple applications:

    1. Change the filter operator to ‘OR’

    2. Click ‘Add Filter Condition’

    3. create the filter condition for your application (see step 6)

  8. Save the filter

The filter is now created and can be added to a Policy.

How to configure: A filter that checks for office hours

To configure a filter that checks for office hours (not that this scenario is for example purposes, it is advised to only create filters that make sense for your situation):

  1. Navigate to the Configuration section

  2. Go to Filters tab

  3. Click ‘Create Filter’

  4. Add a Filter Name (eg “Within office hours”)

    1. Add an optional description

  5. Go to the Filter Conditions tab

  6. Create a filter to check if the time is before office hours

    1. Select the ‘System Time’ parameter

    2. Change the operator or ‘After’

    3. Select the start of your office hours (eg “09:00”)

  7. Leave the filter operator set to ‘AND’

  8. Create a filter to check if the time is after office hours

    1. Click ‘Add Filter Condition’

    2. Select the ‘System Time’ parameter

    3. Change the operator or ‘Before’

    4. Select the end of your office hours (eg “17:00”)

  9. Save the filter

The filter is now created and can be added to a Policy.

Note: depending on if you want to allow access within office hours (this filter would need to be added to all policies that provide access), or deny access outside of office hours (this filter could be added to a separate policy that denies access), the filter would be configured differently.

Access Licenses

Access Licenses are used to delegate the decision on which users will have access to your applications to the organization those users belong to (your customer). More advanced License / Subscription management functionality will be available soon, for instance to support: self service capabilities (customers acquiring a license / subscription thought a self service flow), requiring signing of legal documents (such as terms and conditions), processing payments and generating invoices.

An Access License on its own does not do much, so an Access License should always contain one or more Policies that provide access to users who have the license assigned. Policies can be added in 2 different ‘levels’ to a License:

  • Default policies; these policies are always available to every user that gets the access license assigned. An access license needs at least 1 default policy to be able to allocate the license to an organization.

  • Optional policies; these policies can optionally be assigned to users in addition to the default policy. These can for instance be used for more admin access within your application, something not every user should probably have.

Note that the admin of the organization that gets the license allocated (your customer) will determine who will get the optional policies. You do not have any control over that.

How to configure: An Access License that allows access to everything

If you want users to be able to access everything, but want to provide your customer with the freedom to determine which of their users get access, you will need to configure an Access License in addition to a Policy to grant access:

  1. Navigate to the Configuration section

  2. Go to the Policies tab

  3. Configure a policy that allows access to everything, see:

  4. Go to Licenses tab

  5. Click ‘Create License’

  6. Add a License Name (eg with our company name. The license name will be visible for your customers)

    1. Add an optional description

  7. Go to Policies tab

  8. Click ‘Add Default Policy’

  9. Select the previously created policy that grants generic access

  10. Confirm by clicking ‘Add Default Policy’

  11. Save the license

The license is now created and can be allocated to an (customer) Organization.

How to configure: A license that allows access to a specific application

If you want users to be able to access a specific application, but want to provide your customer with the freedom to determine which of their users get access, you will need to configure an Access License in addition to a Policy to grant access:

  1. Navigate to the Configuration section

  2. Go to the Filters tab

  3. Configure a filter for your application, see:

  4. Go to the Policies tab

  5. Configure a policy that allows access to a specific application, see:

  6. Go to Licenses tab

  7. Click ‘Create License’

  8. Add a License Name (eg with our company name. The license name will be visible for your customers)

    1. Add an optional description

  9. Go to Policies tab

  10. Click ‘Add Default Policy’

  11. Select the previously created policy that grants access to the application(s) that everyone should have access to

  12. Confirm by clicking ‘Add Default Policy’

  13. If there are additional applications that only some people might need access to:

    1. Click ‘Add Optional Policy’

    2. Select the previously created policy that grants access to the application(s) that require specific assignment to have access to

    3. Confirm by clicking ‘Add Optional Policy’

  14. Save the license

The license is now created and can be allocated to a (customer) organization.

How to configure: An Access License that that contains roles

If your application uses roles to determine access, and your want your customers to be able to distribute these roles to their users, you will need to configure an Access License in addition to the roles:

  1. Navigate to the Configuration section

  2. Go to Policies tab

  3. Configure a role, see:

  4. Repeat step 3 for all the roles your application supports

  5. Go to Licenses tab

  6. Click ‘Create License’

  7. Add a License Name (eg with our company name. The license name will be visible for your customers)

    1. Add an optional description

  8. Go to Policies tab

  9. Click ‘Add Default Policy’

  10. Select the previously created role(s) that grants the most basic access that everyone should have

  11. Confirm by clicking ‘Add Default Policy’

  12. If there are additional roles that only some people might need to have:

    1. Click ‘Add Optional Policy’

    2. Select the previously created role(s) that require specific assignment to get

    3. Confirm by clicking ‘Add Optional Policy’

  13. Save the license

The license is now created and can be allocated to a (customer) organization.

PreviousConnect your applicationNextAdd your customers

Last updated

Logo

Product

CIAMSubscription ManagementContracting

Company

About UsContactFoundation

Support

Log a ticketGive us Feedback

2024 Veriam