Article By: Tiffany Kongpachith
Successful identity management requires thorough automation. Symantec Identity Manager’s Policy Xpress (PX) function allows users to automate background functions when running a task set up in Identity Manager. The Policy Xpress (PX) specifically is designed to help automate the creation of endpoints or tasks, but when a task or event is executed. Creating a Policy Xpress (PX) in Identity Manager gives the users the ability to include web services calls, references the data elements defined do correlate with the Task/Event, and offers executing web services calls from the same interface.
- Identity Manager must be fully installed and configured.
- The user must have available credentials to log into Identity Manager.
- If a regular user, have the correct permissions assigned to manipulate creation or termination of policies in Identity Manager, otherwise please acquire administrative credentials.
- A task or event that you want the Policy Xpress to execute must be present prior to PX creation.
- Make sure that web services are enabled within the Identity Manager Management Console.
- Ensure to create a Category for web services prior to setting up a Policy Xpress.
Policy Xpress Creation
Remember, to execute the Policy Xpress (PX) there MUST be an existing task or event present in Identity Manager to associate with.
1. Open a web browser to Identity Manager.
2. Enter user credentials (make sure the user has corrective permissions to be able to create/modify/remove policies or log in as an administrator).
3. From the Tasks column, expand the Policies, expand Policy Xpress, then click ‘Create Policy Xpress’.
4. Select the radio button for ‘Create a new object of type Policy Xpress’ then click the OK button.
5.From the Create Policy Xpress screen, the user will be on the Profile tab. Acknowledge the required fields on the Profile tab:
- Policy Name
- Policy Type
6. Enter the desired naming standard for the Policy Xpress in the Policy Name field.
7. Notice the available out of the box Policy Types. For this purpose, we will select ‘Submitted Task’.
8. Notice the available out of the box Categories. For this purpose, we will select the Category as ‘Web Service Trigger’.
9. For Priority, enter the desired value for priority (order of operation). If not assigned a value, the Priority will remain at default (0).
10. Navigate to the Events tab. Notice that this new Policy Xpress is not assigned to an Event.
11.Click the ‘Add Event’ button to add an event to this Policy Xpress.
Note: You may add more than one Event to be added to the PX.
Note: Ensure the Event that you want to assign with this new Policy Xpress is present before proceeding with these next steps.
12. Notice a new row added with two drop-down options for Event State and Event Name. Select from both dropdowns which Event State and Event Name that will be attached to the Policy Xpress.
Note: The Event State indicates at WHICH Action the certain Event should fire on (i.e. Begin, After, Approved, Rejected, Failed). Event Name is defining which task or event to associate to the Policy Xpress.
13. Navigate to the Data tab.
Notice that this new Policy Xpress is not assigned to a Data Element.
14. Click the ‘Add Data Element’ button to add to this Policy Xpress.
Note: You may add more than one Data Element to be added to the PX.
Here is where we will be defining what the condition is that correlates with the available Attributes in Identity Manager.
15. Determine what values are for the different required fields such as Name, Category, Type, Function.
16. Enter the desired naming standard for the Data Element in the Name field.
17. Notice the available out of the box Categories. Select the desired Category. For this setup purpose, we will select Attributes.
18. Notice the available Types. Select the desired Type. For this setup purposes, we will select User Attributes.
19. Notice the available Functions. Select the desired Function. For this setup purposes, we will select Get.
20.Below is the Function Description. For the Type selected as User Attributes, you will see a list below to select from the drop-down for the desired User Attribute available in Identity Manager.
Note: Depending on which Function you selected your Function Description may be different.
21. Then click the OK button when the Data Element is configured as desired.
22.You will return to the Data tab.
Note: You may add more than one Data Element to attached to this Policy Xpress.
23. Once you have configured the Data Elements, navigate to the Entry Rules tab.
Notice that this new Policy Xpress is not assigned to an Entry Rule.
24. You may enter an Entry Rule by clicking the ‘Add Entry Rule’ button. But for this purpose, we will NOT be adding any Entry Rules.
25. Once finished configuring Entry Rules, navigate to the Action Rules tab.
Notice that this new Policy Xpress is not assigned to an Action Rule.
Note: You may add more than one Action Rule to attached to this Policy Xpress.
26. Click the ‘Add Action Rule’ button to add to this Policy Xpress.
Here is where we will define the API raw data to define the action to take.
27. On the Add Action screen, notice the required fields like Name and Priority.
28. Enter the desired naming standard for the Action Rule in the Name field.
29. You may enter a description for the Action Rule in the Description field.
30. Define the Priority number for this Action Rule. If not assigned a value, the Priority will remain at default (0).
31. Scroll down and focus on the Add Actions section. These actions are performed when the rule is matched for the first time or if the policy is not set to run once.
32. Click the ‘Add Action When Matched’ button to add a new action to this Action Rule.
33. Notice the required fields necessary for the Action When Matched such as Name, Category, Type, and Function. Enter the desired naming standard for this Action When Matched in the Name field.
34. For Category, notice the available categories given to by Identity Manager. Select from the drop-down options of the desired Category. For this purpose, we will select REST Queries.
Note: For different web services calls other than REST, there is an option for SOAP Queries – Category to select for SOAP utilizations/translations.
The screen will refresh to the screen that designates the selection of REST Queries. This is where we can begin to configure the REST body for when this Policy Xpress fires off a task or event.
35. Notice the required fields for this Action When Match – Function like Name, Category, Type and Function. Enter the desired naming standard for this Action When Match – Function in the Name field.
36. Keep the Category and Type for this Action When Matched – Function as it is. Referring to keeping the REST Queries and REST Query.
37. For the Function, notice the available options from the drop-down. Select the appropriate Function to use for authentication for this REST query/call. For this purpose, we will select Basic Auth Invoke.
38. Under the Function Description for Base URL – enter the destination URL that the PX will submit the REST body to.
39. For Operation, click the drop-down to view all available HTTP Actions and select the HTTP Action that will be used along with this REST body.
40. For the Request Body, enter the JSON data into this field.
41. Within the request body, you may incorporate the User Attributes that was assigned in the Data Element can be put into the body message.
Note: The drop-down to the right of the request body field will allow the user to select from the list of created Data Elements that already had preconfigured attributes assigned.
42. Finally, you may define the Content-Type for the request body. Select the drop-down to view all available Content-Types. For this purpose, we will keep the collection for “application/json”.
43. Lastly when the REST Query is configured, click the OK button to save progress for the Action When Matched – Function settings.
44. You will return to the Action Rule screen. Click the OK button to save progress for the Action When Matched settings. Notice the Action When Matched now appears.
45. You will return to the Action Rules tab screen. Verify each tab has the proper configurations set, then click the Submit button to save all progress.
Policy Xpress Use Case:
- The user wants to send a web service call to the Layer7 API Gateway to send a request elsewhere. This is just as an API testing tool to submit requests through some sort of routing proxy to its destination.
- The user creates a simple admin task. As following these procedures, assigned a created Policy Xpress to this admin task.
- The admin task is a simple form for users to fill out. The form has designated attributes assigned to each field. Since we defined the Data Element in the Policy Xpress the form knows which attributes to use and place its information.
- In the Action Rules – Action When Matched – Function where the user defines the Base URL and in this case the URL will be the URL to the API Gateway following its API policies.
- The operation would be an HTTP POST action to submit the information following the executed task to the API Gateway.
- In the Action Rules – Action When Matched – Function where the user defines the REST body and inputs the values as the selected Data Element (attributes) from its available drop-down list.
- The user can test their request body by clicking the’ Test’ button located on the Action When Matched – Function screen.
- Since the Policy Xpress is assigned with a Task or Event then when a user accessed the Task which was the simple form and fills out their information; the user will click the Submit button to fire the task and PX.
- The expected result should be task completed or task pending, and the user should click the ‘View Submitted Tasks’ button to view messages and logs of success or errors when executing the admin task.
- This indicates if the task was submitted successfully then the request defined in the Action When Matched – Function with the request body submitted a POST REST call to the API Gateway which was defined in the Base URL field.
- If the request submitted all the way to the API Gateway and the designated team verifies that the request came through via status message or logging, then the Task – Policy Xpress – Destination was successful!
Example of Action When Matched – REST Queries Function sample inputs for Base URL, Operation, Request Body, Content-Type:
Important! See how the request is structured in JSON formatting. Where the key:value pairs are entered for the value, you may replace the value with any of the Data Elements available listed in the right drop-down.
Summary of Automating Web Service Calls in Symantec Identity Manager
Enabling web services to be used along with Identity Manager’s Policy Xpress is a key motivator for automation of the future. This process is well-suited to replace the idea of having developers generate requests from an API testing tool with the constant back and forth of screens. Policy Xpress allows for testing within the same interface! Not only a chance for testing on the same screen, but it also gives more of an “extension” to the capabilities that Symantec Identity Manager offers but is not typically used all the time. This offers a sense of automation, a new process, and structure to follow when creating future Policy Xpress’ that will leverage web services aptitudes.
Looking for additional help with Policy Xpress? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Identity Manager and general identity management and automation. Take your interoperability to the next level, and contact an ISX consultant today.