Description:
In your CA Identity Manager implementation, you may want to protect your User Store, Policy Store as well as your Provisioning Directory from unauthorized CRUD operations that could happen outside of CA Identity Manager.
If your CA Identity Manager environment is using CA Directory for the above stores (note that Provisioning Directory is only supported in CA Directory), this can be easily achieved using Access Controls.
CA Directory Access Controls (ACLs) work by asking this question before performing an operation:
Is this client permitted to perform this operation, on this data, in this subtree, at this time?
where:
The aim of this document is to provide the minimum ACLs required by CA Identity Manager service accounts and limit all other access.
Solution:
Defining the minimum ACLs needed by CA Identity Manager requires that:
To define and activate CA Directory Access Controls, you would need to update the corresponding DSA's definition as described below:
Assuming that:
On the CA Directory node(s), perform the following operations:
#
# Policy Store Access (#1)
#
set admin-user = {
user = <c US><o SMPolicy><uid SMAdmin>
subtree = <c US><o SMPolicy>
};
# static access controls
set access-controls = true; # dynamic access controls
set dynamic-access-control = false;
#
# User Store Access (#2)
#
set admin-user = {
user = <c US><o FwdCorp><uid IMAdmin>
subtree = <c US><o FwdCorp>
};
# static access controls
set access-controls = true;
# dynamic access controls
set dynamic-access-control = false;
#
# Provisioning Directory Access (#3)
#
set admin-user = {
user = <dc etadb><dc FWDCORPDOM><eTNamespaceName CommonObjects><eTDSAContainerName DSAs>
subtree = <dc etadb>
};
# static access controls
set access-controls = true;
# dynamic access controls
set dynamic-access-control = false;
# access controls
clear access;
source "../access/SMPSAccessControl.dxc";
# access controls
clear access;
source "../access/IMUSAccessControl.dxc";
# access controls
clear access;
source "../access/IMPDAccessControl.dxc";
From now on, the ACLs are activated and you can check them by using an LDAP Directory browser like JXplorer.
You should be able to connect to your User Store using the service account you have defined in your ACLs e.g. uid=IMAdmin,o=FwdCorp,c=US and navigate the whole DIT.
You should be able using any other user to connect to the User Store but you should receive an error saying e.g.
unable to list o=FwdCorp,c=US
However, if you use this user to connect to your IME using the CA Identity Manager User Console then you should be able to do the same operations as before even if this user is not granted to access directly to the User Store.
The same tests can be performed with the Policy Store and Provisioning Directory assuming that you have several objects defined with a password into it.
If Anonymous access is allowed for these DSAs then connection will be allowed, however, navigation through the DIT will return a list error.
Additional Information: