eBay Inc.
SOA
Policy Administration Tool
DL-eBay-SOAPolicyTeam@ebay.com
Tuesday, December 20, 2011
CHAPTER 1: CONCEPTS AND OVERVIEW ...................................................................................... 6
Policy Concepts and Definitions ............................................................................................................................. 6
Policy Types and Examples .................................................................................................................................... 7
Tool Overview ..................................................................................................................................................... 10
CHAPTER 2: LOGIN ACCESS AND PRIVILEGES ........................................................................... 15
Logging on (Sign-in) ............................................................................................................................................. 15
Admin User and Guest User Privileges ................................................................................................................. 16
Logging off (Sign off) ............................................................................................................................................ 16
CHAPTER 3: MANAGING SUBJECTS AND SUBJECT GROUPS .................................................. 17
View Summary of Subject Groups ........................................................................................................................ 17
Search for Subject Groups.................................................................................................................................... 18
Create Subject Group ........................................................................................................................................... 20
Assign Specific Subjects ....................................................................................................................................... 20
Assign Calculated Subject Group Provider ........................................................................................................... 21
Import a Subject Group ....................................................................................................................................... 23
Export a Subject Group ........................................................................................................................................ 25
View Subject Group ............................................................................................................................................. 25
Modify Subject Group .......................................................................................................................................... 26
Modify Subject Group Information ...................................................................................................................... 27
Modify Assigned Subjects .................................................................................................................................... 27
Assign More Subjects ........................................................................................................................................... 29
Delete Subject Group ........................................................................................................................................... 30
2
CHAPTER 4: MANAGING POLICIES ................................................................................................. 32
View Summary of Policies .................................................................................................................................... 32
Search for a Policy ............................................................................................................................................... 34
Create Policy ........................................................................................................................................................ 37
Modify Policy ....................................................................................................................................................... 37
Enable Policy ....................................................................................................................................................... 37
Disable Policy....................................................................................................................................................... 38
Import Policy ....................................................................................................................................................... 38
Export Policy ........................................................................................................................................................ 43
Delete Policy ........................................................................................................................................................ 48
Deploy Policy ....................................................................................................................................................... 49
CHAPTER 5: MANAGING AUTHORIZATION POLICY ................................................................. 50
Create Authorization Policy ................................................................................................................................. 50
View Authorization Policy Details ........................................................................................................................ 55
Modify Authorization Policy Details..................................................................................................................... 57
Modify Authorization Policy Information............................................................................................................. 57
CHAPTER 6: MANAGING RATE LIMITING POLICY .................................................................... 64
Create Rate Limiting Policy .................................................................................................................................. 65
Assign Subjects or Subject Groups to Inclusion List .............................................................................................. 69
Assign Subjects or Subject Groups to the Exclusion List ....................................................................................... 71
View Rate Limiting Policy ..................................................................................................................................... 73
Modify Rate Limiting Policy ................................................................................................................................. 77
Modify Rate Limiting Policy Information.............................................................................................................. 77
Assign More Subjects or Subject Groups to the Exclusion List .............................................................................. 87
3
CHAPTER 7: MANAGING BLACKLIST POLICY ............................................................................. 90
Create a Blacklist Policy ....................................................................................................................................... 90
Assign Resources to the Blacklist Policy ............................................................................................................... 91
Assign Subjects or Subject Groups to Blacklist Policy ........................................................................................... 93
View Blacklist Policy Details ................................................................................................................................. 95
Modify Blacklist Policy Details ............................................................................................................................. 97
Modify Blacklist Policy Information ..................................................................................................................... 97
Modify Assigned Resources ................................................................................................................................. 98
Modify Assigned Subjects or Subject Groups ..................................................................................................... 100
Assign More Resources ...................................................................................................................................... 102
CHAPTER 8: MANAGING WHITELIST POLICY ......................................................................... 106
Create Whitelist Policy ....................................................................................................................................... 106
Assign Resources to the Whitelist Policy ............................................................................................................ 107
Assign Subjects or Subject Groups to Whitelist Policy ........................................................................................ 109
Submit a Trace Ticket for a Subject .................................................................................................................... 110
View Whitelist Policy Details ............................................................................................................................. 111
Modify Whitelist Policy Details .......................................................................................................................... 113
Modify Whitelist Policy Information .................................................................................................................. 113
Modify Assigned Resources ............................................................................................................................... 114
Modify Assigned Subjects or Subject Groups ..................................................................................................... 116
Assign More Resources ...................................................................................................................................... 118
Assign More Subjects or Subject Groups ............................................................................................................ 120
CHAPTER 9: DEPLOYING AND PROMOTING POLICIES ........................................................ 122
4
CHAPTER 10: SEEDING RESOURCES........................................................................................... 124
CHAPTER 11: DEPLOYING AND PROMOTING POLICIES ...................................................... 125
CHAPTER 12: CONFIGURING SERVICE AT RUN TIME FOR POLICIES .............................. 126
CHAPTER 13: FAQS AND TROUBLESHOOTING ....................................................................... 127
5
Chapter 1: Concepts and Overview
The SOA Policy Administration tool (http://smc/policyadmin/policy) allows administrators to
apply policies to SOA services, for security and rate limiting purposes. The tool has an intuitive,
browser-based user interface (UI), and it hides the complexity involved in authoring policy
configurations for SOA services. It enhances user productivity by providing a consistent user
experience for provisioning policies.
Users of the tool
The primary users of this tool are Developer Technical Support (DTS), Trust&Safety (TnS), and
Service teams who want to apply policies on SOA services. However, anyone with eBay CORP
network credentials can log on to the tool for read-only access. The tool supports guest and
administrator privileges for users. To read more about this topic, click Login Access and
Privileges.
Support for the tool
For any questions about the tool, contact DL-ebay-SOAPolicyTeam.
Policy Concepts and Definitions
Policies are a set of rules that determine if an entity can access a resource.
The SOA platform offers a very powerful and flexible policy infrastructure that describes the
methodology to express and manage policies. This section explains the terminology used in the
tool.
Resource
A resource is an entity that is being gated for access. Currently, the tool supports only services
and their operations under resources.
Examples: FindingService, findItemsByKeywords, getSearchKeywordsRecommendation
Subject
A subject is an entity that is being evaluated for granting access to the resource. A subject
belongs to a subject type.
Examples: AdminTest, C3App
6
Subject Type
Each subject has a type associated with it. The tool supports the following subject types: ASAC
20, CORPUSER, CSUSER, EBAYAPP, EBAYDEV, EBAYUSER, IP, MACHINE, POOL, PROXY.
Subject Group
A subject group is a collection of subjects of the same type. Subject groups are a convenient
way for gating access to multiple subjects at a time.
Example: Tier1AppGroup (subject group) can contain multiple EBAYAPP subjects. Once a policy
is assigned to a subject group, it is automatically assigned to all subjects belonging to that
group.
Policy
A policy defines which resources can be gated for access by which subjects and⁄or subject
groups. For convenience, more than one resource can be configured in a single policy (to prevent
a proliferation of policies for multiple resources).
Example: StorageServiceAdminPolicy
Creating a Policy
Admin Users can create policies by providing the name and description for the policy and
assigning one or more resources to the policy. The policy can be enforced only after at least one
subject and⁄or subject group is assigned to the policy. Admin Users can modify subjects and⁄or
subject groups any number of times after creating the policy.
Enabling a Policy
A policy is always created in a disabled state to ensure that no policy is accidentally applied
without due diligence. Admin Users have to enable a policy after making the relevant
assignments to the policy. Note that the service must be configured to have the appropriate
handler for the policy to be enabled at run time. For configuring a handler, prior to enabling a
service, please check
https://wiki2.arch.ebay.com/confluence/display/SOADOC/3.0+Security+Services.
Policy Types and Examples
You can create and modify the following four types of policies in the tool:
Authorization Policy
Rate Limiting Policy
Blacklist Policy
Whitelist Policy
7
Authorization Policy
The authorization policy determines if an entity has access to a resource. You can assign
resources, subjects, and subject groups to an authorization policy.
Example:
Scenario: Create a policy for Admin access to StorageService
Policy Name: StorageServiceAdminPolicy
Policy Description: Policy created for Admin access for the storage service
Resources:
Service: StorageService
Operations: updateObject, getUserMetadata, deleteObject, getACL,
readObjectByAttachment
Assigned Subjects⁄Subject Groups:
Subject Type: EBAYAPP
Subjects: AdminTest, C3App
Rate Limiting Policy
Rate limiting refers to setting limits on the number of times an entity can access a resource
within a given amount of time. Rate limiting helps in protecting resources from security threats
and enforces tiered access to resources based on the business contract with a caller. Eventually,
rate limiting will also help with chargeback for using a service. You can assign resources to a
rate limiting policy. You can also assign subjects and⁄or subject groups to a rate limiting policy,
however, this assignment is done through one of the following lists:
Inclusion List: Collection of subject or subject groups that are granted access to the
resources assigned to a policy. You must assign at least one subject or subject group to
the inclusion list.
Exclusion List: Collection of subject or subject groups that do not have access to the
resources assigned to a policy. These subject⁄subject group in the exclusion list are a
subset of the subjects⁄subject groups that are part of the inclusion list.
For example, if subject group A is part of the inclusion list and has subjects x, y, and z. If subject
x is part of the exclusion list, then only subjects y and z will be enlisted in the inclusion list.
8
Example:
Scenario: If the total number of hits from any eBay application of group
"Tier2AppGroupCalculator" to one or more of operations "findItemsByKeywords,
findItemsByProduct,findItemsByCategory, findItemsAdvanced,
getSearchKeywordsRecommendation, getHistograms, findItemsIneBayStores" of FindingService
are more than 1500000 over a 24-hour period (86400 seconds), then block access for 24 hours.
Policy Name: FindingServiceGenericTier2_24H
Policy Description:
Effect Duration: 86400 seconds
Rollover Period: 86400 seconds
Priority: 0
Effect: Block
Condition: FindingService.sum_long > 1500000
Resources:
Service: FindingService
Operations: findItemsByKeywords, findItemsByProduct,findItemsByCategory,
findItemsAdvanced, getSearchKeywordsRecommendation, getHistograms,
findItemsIneBayStores
Inclusion List:
Subject Type: EBAYAPP
Subject Groups: Tier2AppGroupCalculator
Blacklist Policy
A blacklist policy restricts all entities from accessing the resources assigned to it. You can assign
resources, subjects, and subject groups to a blacklist policy.
Example:
Policy Name: FindingServiceGenericBlack_24H
9
Policy Description:
Resources:
Service: FindingService
Operations: findItemsByKeywords, findItemsByProduct,findItemsByCategory,
findItemsAdvanced, getSearchKeywordsRecommendation, getHistograms,
findItemsIneBayStores
Assigned Subjects⁄Subject Groups:
Subject Type: EBAYAPP
Subject Groups: BlacklistAppGroupCalculator
Whitelist Policy
The Whitelist policy allows all entities to access the resources assigned to it. You can assign
resources, subjects, and subject groups to a Whitelist policy.
Example:
Policy Name: ShoppingGenericWhite_24H
Policy Description:
Resources:
Service: Neighborhood
Operations: getNeighborhoods, GetNeighborhoodMembers, GetNeighborhoodPictures
Assigned Subjects⁄Subject Groups:
Subject Type: EBAYAPP
Subject Groups: WhitelistAppGroupCalculator
Tool Overview
The tool has a browser-based interface that enables you to create and modify subject groups
and policies. This section provides a quick overview of the tool.
The URL to access the tool is http://smc/policyadmin/policy.
10
Login Access and Privileges
All CORP users are provided access to the tool and have a Guest User profile by default. The
Guest User profile provides read-only access to the tool. The SOA Policy Admin Support team
provisions Admin User rights. Contact DL-ebay-SOAPolicyTeam to get the Admin User rights for
the tool.
Working with Environment Settings
You can access the following environments:
Environment Details
Staging Connects to the staging database containing preproduction data
Production Connects to the production database containing in-production data
Customized Connects to a customized service URL
Sandbox Connects to the data in sandbox database
The environment variable (env) added to the URL parameters enables identifying the
environment. For example: The following URL points to the production environment:
‘http://smc/policyadmin/policy?method=search&&env=Production&isLogin=true’.
Each of these environments accesses policies stored in a different database. For example, when
you are in the Staging environment, the policies you create or modify will be specific to the
staging database. The changes you carry out in the staging database will not affect the
production databases.
CORP users can access any of these environments, provided they have the relevant
permissions. Contact DL-ebay-SOAPolicyTeam to request access.
You cannot switch between environments after you log on. You have to log off and then log on
to the relevant environment. Your current environment is displayed in the header of all pages.
Please refer to Deploying and Promoting Policies for further details.
11
Creating and Modifying Policies
You can create a policy on the Create page for the corresponding policy type. When you create
a policy, you have to assign at least one resource to it. You can modify a policy on the View⁄Edit
page for the corresponding policy type.
Assigning Subjects and/or Subject Groups
You can assign policies to a subject group on the Subject Groups—View⁄Edit page. You can also
assign subjects and⁄or subject groups to a policy on the View⁄Edit page of the corresponding
policy. The effect of both the preceding actions is the same.
Enabling and Disabling Policies
You can enable and disable policies on the All Policies—Summary page. You can enable a policy
only when it has at least one subject or subject group assigned to it. You can disable a policy
any time after you enable it. All policies, irrespective of whether they have been assigned
subjects or subject groups, are disabled by default.
Deleting Policies
You can delete a policy on the All Policies—Summary page. You can delete a policy after you
create it, irrespective of whether it is enabled or disabled.
Viewing Change History
The tool keeps a record of all the changes made to policies. You can view the changes on the
View Change History page. Currently, the tool does not provide the capability to search the
change history on per policy or per entity basis. This will be addressed in a future release. You
can view the following details on the View Change History page:
The date and time of the change
The name of the user who made the change
The IP address of the computer from which the change was made
The type of change
A description of the change
Overview of Help chapters
The following is an overview of the other chapters in the Help:
12
Chapter 2: Login Access and Privileges
This chapter explains the process of logging on to the tool and the rights of the users.
Chapter 3: Managing Subjects and Subject Groups
This chapter explains the tasks related to creating, modifying, and deleting subject groups.
Chapter 4: Managing Policies
This chapter explains the tasks common to all policies, such as viewing, enabling, disabling, and
deleting a policy.
Chapter 5: Managing Authorization Policy
This chapter explains the tasks related to the authorization policy. The tasks of creating,
viewing, and modifying the authorization policy are covered.
Chapter 6: Managing Rate Limiting Policy
This chapter explains the tasks related to the rate limiting policy. The tasks of creating, viewing,
and modifying the rate limiting policy are covered.
Chapter 7: Managing Blacklist Policy
This chapter explains the tasks related to the blacklist policy. The tasks of creating, viewing, and
modifying the blacklist policy are covered.
Chapter 8: Managing Whitelist Policy
This chapter explains the tasks related to the whitelist policy. The tasks of creating, viewing, and
modifying the whitelist policy are covered.
Chapter 9: Viewing Change History
This chapter explains how to view the change history and provides an overview of the
information available on the View Change History page.
Chapter 10: Seeding Resources
This chapter explains how you can request for services or operations that do not exist in the
tool.
Chapter 11: Deploying and Promoting Policies
13
This chapter explains the deployment environments and the necessity of manually promoting
policies.
Chapter 12: Configuring Service at Run Time for Policies
This chapter explains the technical details for configuring policies.
Chapter 13: FAQs and Troubleshooting
This chapter lists the frequently asked questions about the SOA Policy Administration tool.
14
Chapter 2: Login Access and Privileges
Your privileges in the SOA Policy Administration tool are based on the credentials you provide
and the options you select on the Sign in page.
Currently, the tool supports only the CORP domain. You can use your eBay CORP credentials to
log on to the tool. After you log on to the tool, you can view all pages. However, to create,
modify, or delete entities or policies, and to enable and disable policies, you should have Admin
User rights.
The SOA Policy Admin Support team grants Admin User rights. Contact DL-ebay-SOAPolicyTeam
to request Admin User rights.
Logging on (Sign-in)
Go to http://smc/policyadmin/policy, enter the relevant details on the Sign in page, and click
Sign in.
Logging on—Field Details:
Field Details
User ID The network ID. You can type a maximum of 128 characters.
Password The network password. You can type a maximum of 128 characters.
Domain The domain validates your credentials. The available option is CORP
The changes are restricted to the selected environment. The
available options are:
Production
Staging
Customized
Target Environment Sandbox
On selecting Customized target environment, two more options
become visible:
Custom Policy Service: It is a textbox to enter custom URL
for policy service.
Custom IAF Service: It is a textbox to enter custom URL for
15
Field Details
IAF (Identity Assertion Framework) service.
The Policy service and the IAF service can point to different URLs in
Customized environment. The default text for both the fields is a
sample customized service URL —
http://XXX.qa.ebay.com:8080/ws/spf.
Admin User and Guest User Privileges
Guest User Actions:
Can view all pages
Cannot create, modify, delete, enable, or disable policies
Cannot create, modify, or delete subject groups
Admin User Actions:
Can view all pages
Can create, modify, delete, enable, and disable policies
Can create, modify, and delete subject groups
Logging off (Sign off)
Click the Signout link on the upper right of the header.
16
Chapter 3: Managing Subjects and Subject Groups
A subject is an entity that is being evaluated for granting access to the resource. A subject
belongs to a subject type. Each subject has a type associated with it. The tool supports the
following subject types: ASAC 20, CORPUSER, CSUSER, EBAYAPP, EBAYDEV, EBAYUSER, IP,
MACHINE, POOL, and PROXY.
A subject group is a collection of subjects of the same type. Subject groups are a convenient
way for gating access to multiple subjects at a time. For example, Tier1AppGroup (subject
group) can contain multiple EBAYAPP subjects. Once a policy is assigned to a subject group, it is
automatically assigned to all subjects belonging to that group.
This topic contains the following subtopics:
View Summary of Subject Groups
Search for Subject Group
Import Subject Group
Export Subject Group
View Subject Group
Modify Subject Group
Delete Subject Group
View Summary of Subject Groups
The Subject Groups—Summary page enables you to view the summary of all subject groups. It
displays a list of all the subject groups that exist in the tool. The subject groups with the latest
change appear at the beginning of the list. You can search for a subject group and modify it. You
can also delete a subject group on the Subject Groups—Summary page.
This feature is available to the Admin User and the Guest User.
To view a summary of subject groups:
To view all subject groups:
o Go to the Subject Groups—Summary page. The page displays all subject groups.
To view a specific subject group:
o Go to the Subject Groups—Summary page.
o Enter the search criteria.
o Click Search.
For more information on search options, refer to Search for Subject Groups—Field Details.
17
The following section details the list of fields available for subject groups on Subject Groups—
Summary page.
View Summary of Subject Groups—Field Details
Field Details
List of Subject Groups
Subject Group Name The name of the subject group. You can click the subject group
name to go to the Subject Groups—View/Edit page.
Subject Type The type of subjects assigned to the subject group.
Subjects Assigned The subjects assigned to the subject group. Click more to view all
the subjects assigned to the subject group.
Policies Assigned The policies assigned to the subject group. Click more to view all
the policies assigned to the subject group.
Created By The network ID of the user who created the subject group.
Last Modified The time stamp when the subject group was created/last modified.
Last modified By The author of the last change on the subject group.
Actions The actions you can perform on the subject group. The available
options are:
Edit
Delete
Export
Search for Subject Groups
The Subject Groups—Search page enables you to search for a subject group and then perform
actions on it. It allows search based on two parameters — Subject Type and Policy Type.
The page allows partial search for subject groups. The system supports the percentage sign (%)
as the wild character for partial search. You can embed it before, after, or within the search
string. For example, %ABCSubjectGroup, ABCSubjectGroup%, ABC%SubjectGroup, and
%ABC%SubjectGroup%.
18
To search for a subject group:
Go to the Subject Groups—Search page.
Enter search criteria.
Click Search.
The following section details the available search options.
Search for Subject Groups—Field Details
Field Details
Search Options
Subject Groups Search for a subject group by providing the subject type and the
subject group name.
Policy Name Search for a subject group by providing the policy type and the
policy name to which it is assigned.
Search Options—Subject Groups
These fields appear when you click Subject Groups in Search Options.
Subject Type The type of the subject group you are searching.
Box above Search The name of the subject group you are searching. Partial search is
supported. Empty string will match all.
Search Options—Policy Name
These fields appear when you click Policy Name in Search Options.
Policy Type The type of the policy to which the subject group you are searching
is assigned.
Box above Search The name of the policy to which the subject group, which you are
searching, is assigned. Only exact match is supported.
The screen displays summary of the subject groups as per the search result. For more
information on the fields in the summary, refer View Summary of Subject Groups—Field
Details.
The Subject Groups—Search page displays the count of subject groups matching the
search criteria “# results found”, where # represents number of matching results.
19
The Subject Groups—Search page includes pagination and displays 15 results at a time. The
following are the available options:
Click Next or to view the results on the next page.
Click Previous or to view the results on the previous page.
Click a specific page number link to view the result set on a specific page.
Enter a page number in Go to Page box and click Go to view the result set on a specific
page.
If there are no search results that match your search criteria, an error message (“No
search results available”) appears.
Create Subject Group
You can create a subject group by grouping subjects of the same type. When you assign a policy
to a subject group, it applies to all the subjects within that subject group. A subject group must
have at least one subject assigned to it.
This feature is available to the Admin User.
To create a subject group:
On the Subject Groups—Create page, type the name of the subject group and its
description.
For more information on specific fields, refer to Create Subject Groups—Field Details.
Assign specific subjects or assign calculated subject group provider.
Click Create.
Assign Specific Subjects
To assign specific subjects to a subject group:
1. On the Subject Groups—Create page, click Assign Subjects under Subject Group Classification.
1. In the Subject Type list, click the type of subject and specify the subject.
For the IP or PROXY subject types, type the IP or proxy address and click Add.
For more information on specific fields, refer to Create Subject Groups—Field Details.
Assigning a subject is part of the procedure required for creating a subject group.
20
Assign Calculated Subject Group Provider
This approach of using a Calculated Subject Group Provider allows subjects to be determined
and evaluated at run time. You need to implement a Calculated Subject Group Provider before
you can choose it from the tool.
Refer to the following link for details on how to implement a Calculated Subject Group
Provider: https://wiki2.arch.ebay.com/confluence/display/SOADOC/3.5.2+Configuration
To assign a calculated subject group provider to a subject group:
1. On the Subject Groups—Create page, click Calculated under Subject Group
Classification.
2. Click the type of subject and then click the calculated group provider.
For more information on specific fields, refer to Create Subject Groups—Field Details.
Selecting a calculated group provider is part of the procedure required for creating a subject
group.
Create Subject Groups—Field Details
Field Details
The name of the subject group you want to create. You can type a
Subject Group Name maximum of 128 characters including a-z, A-Z, 0-9, period (.),
underscore (_), and hyphen (-).
The description of the subject group you are creating. You can type
Subject Group Description
a maximum of 256 characters.
Assign Subjects Assign specific subjects to the subject group.
Assign a provider that calculates and assigns subjects to the subject
Calculated
group at run time.
Subject Group Classification—Assign Subjects
These fields appear when you click Assign Subjects under Subject Group Classification.
Subject Type The type of subjects you want to assign to the subject group.
21
Field Details
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to include in the subject group you are
Selected Subjects creating. Select a subject and click to move it List of all
Subjects. You can select more than one subject by pressing CTRL
and clicking the relevant subjects.
Type the IP or proxy address that you want to include in the subject
group and click Add. The IP or PROXY address appears in Added
List.
Box adjacent to Add
This box is available only if you click IP or PROXY in Subject
Type.
The list of IP or PROXY addresses that you want to add to the
subject group you are creating. Click Delete to remove the selected
IP or proxy address from the subject group you are creating.
Added List
This list is available only if you click IP or PROXY in Subject
Type.
Subject Group Classification—Calculated
These fields appear when you click Calculated under Subject Group Classification.
Subject Type The type of subjects you want to assign to the subject group.
The provider that calculates and assigns subjects to the subject
Calculated Group Provider
group at run time.
22
Import a Subject Group
You can import new subject groups into the system. To do this, you must import an XML file
with the .subgrp extension for the subject group.
You cannot import a subject group that is already available in the system. An error
message appears.
You cannot import files without the .subgrp extension. A relevant error message appears.
The following snippet shows the SubjectGroupTemplate.subgrp format.
This feature is available to the Admin User.
Replace please fill in with the real value before you import a subject group.
To import a policy or subject group:
1. On the Subject Groups—Summary page, click Import.
2. On the Please choose a subject group definition file… pop-up window, click Browse to select the
subject group file. You can import multiple subject groups in a single file. For more information
on specific fields, refer to Import a Subject Group —Field Details.
3. Click Import. The subject groups are imported.
Import a Subject Group —Field Details
Field Details
23
Field Details
Box adjacent to Import The path of the .subgrp file that you want to import.
24
Export a Subject Group
You can export subject groups to a file with the .subgrp extension.
The following snippet shows the SOABenchmarkService_EBAYAPP.subgrp format.
This feature is available to the Admin and the Guest User.
To export a subject group:
2. On the Subject Groups—Summary page, select the relevant subject groups. You can export
multiple subject groups in a single file.
3. Click Export. The selected subject groups are exported to a .subgrp file.
You can also click Export on the menu in the Actions column for a subject group to export it.
The file with multiple subject groups is saved with the same name as the first selected subject
group on the Subject Groups—Summary page.
View Subject Group
You can view the details of a subject group, including the subjects and policies that are assigned
to it. The Edit link and Delete link appear enabled only when the user has adequate
permissions.
This feature is available to the Admin User and the Guest User.
Action links and buttons are available to the Admin User only.
To view subject group details:
On the Subject Groups—Summary page, click the name of the relevant subject group,
and view its details.
25
View Subject Group Details—Field Details
Field Details
Subject Group Information
Click Edit to modify the subject group information.
Subject Group Name The name of the subject group.
Subject Group
The description of the subject group.
Description
Subject Group Type The type of subjects assigned to the subject group.
Assigned Subjects
Click Assign more subjects to assign subjects to the subject group.
Click Delete all to delete the existing subjects. You will have to assign at least one
subject after this action.
Subject Type The type of subjects assigned to the subject group.
The subjects or calculated group provider assigned to the subject
Subjects/Calculated
group. Click See All to view the list of all subjects/calculated group
Group
providers.
Click Edit to modify the existing resource that is assigned to the
group.
Actions
Click Delete to delete the existing resource that is assigned to the
group.
Modify Subject Group
You can modify the details of a subject group. You can also modify the subjects that are assigned to a
subject group.
This feature is available to the Admin User and the Guest User.
26
To modify a subject group:
1. On the Subject Groups—Summary page, click the name of the relevant subject, and modify the
details as required.
OR Click Edit on the menu in the Actions column for a subject group, and modify the
details as required.
4. Click Save.
Modify Subject Group Information
You can modify the name and description of a subject group.
To modify subject group information:
1. On the Subject Groups—View/Edit page, click Edit in the Subject Group Information
section.
5. On the Edit Subject Group Information pop-up window, modify the subject group
information, as required, and click Add Changes.
For more information on specific fields, refer to Modify Subject Group Information—
Field Details.
6. On the Subject Groups—View/Edit page, click Save.
Modify Subject Group Information—Field Details
Field Details
The name of the subject group. You can type a maximum of 128
Subject Group Name characters including a-z, A-Z, 0-9, period (.), underscore (_), and
hyphen (-).
Subject Group Type The type of subjects assigned to the subject group.
The description of the subject group. You can type a maximum of
Subject Group Description
256 characters.
Modify Assigned Subjects
You can modify the subjects that are assigned to a subject group. You can assign a calculated
group provider or modify the assigned subjects. When you select a calculated group provider
27
and complete the process of assigning the calculated group provider, the subjects assigned
originally will be replaced by the calculated group provider.
To modify assigned subjects:
1. On the Subject Groups—View/Edit page, click Edit in the Assigned Subjects section.
2. On the Edit Subjects for pop-up window, modify the assigned subjects,
as required, and click Add Changes.
3. On the Subject Groups—View/Edit page, click Save.
Modify Assigned Subjects—Field Details
Field Details
These fields appear when the subject type is not IP or PROXY.
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to include in the subject group. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Assign Subjects Assign specific subjects to the subject group.
Assign a provider that calculates and assigns subjects to the subject
Calculated
group at run time.
Assign Subjects
These fields appear when the subject type is IP or PROXY.
Box adjacent to Add Type the IP or PROXY address that you want to include in the
subject group and click Add. The IP or PROXY address appears in
28
Field Details
Added List.
The list of IP or PROXY addresses that you want to add to the
Added List subject group. Click Delete to remove the selected IP or PROXY
address from the subject group.
Calculated
These fields appear when there is a calculated group provider.
The provider that calculates and assigns subjects to the subject
Calculated Group Provider
group at run time.
Assign More Subjects
You can assign more subjects to a subject group.
To assign subjects to a subject group:
1. On the Subject Groups—View/Edit page, click Assign more subjects in the Assigned
Subjects section.
2. On the Edit Subjects for pop-up window, enter the details as required,
and click Add Changes.
For more information on specific fields, refer to Assign More Subjects—Field Details.
3. On the Subject Groups—View/Edit page, click Save.
Assign More Subjects—Field Details
Field Details
These fields appear when the subject type is not IP or PROXY.
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects
subject from the list of subjects and click to move it to Selected
29
Field Details
Subjects.
The subjects that you want to include in the subject group. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Assign Subjects Assign specific subjects to the subject group.
Assign a provider that calculates and assigns subjects to the subject
Calculated
group at run time.
Assign Subjects
These fields appear when the subject type is IP or PROXY.
Type the IP or PROXY address that you want to include in the
Box adjacent to Add subject group and click Add. The IP or PROXY address appears in
Added List.
The list of IP or PROXY addresses that you want to add to the
Added List subject group. Click Delete to remove the selected IP or PROXY
address from the subject group.
Calculated
These fields appear when there is a calculated group provider.
The provider that calculates and assigns subjects to the subject
Calculated Group Provider
group at run time.
Delete Subject Group
You can delete a subject group that is not assigned to any policy. Thus, you cannot delete a subject
group that is assigned to a policy. You can delete a subject group that has subjects assigned to it.
This feature is available to the Admin User.
30
To delete a subject group:
1. On the Subject Groups—Summary page, select the check box next to the name of the
subject group you want to delete.
2. Click Delete, and then click OK on the confirmation message.
You can also click Delete on the menu in the Actions column for the corresponding
subject group to delete the subject group.
31
Chapter 4: Managing Policies
Policies are the rules that determine which subjects or subject groups are allowed to access
resources. There are four types of policies in the SOA Policy Administration tool:
Authorization Policy
Rate Limiting Policy
Blacklist Policy
Whitelist Policy
Please refer to Concepts and Overview for details about the definitions and examples of
the policies.
This topic contains the following subtopics:
View Summary of Policies
Search for Policy
Create Policy
Modify Policy
Enable Policy
Disable Policy
Delete Policy
Deploy Policy
View Summary of Policies
The All Policies—Summary page enables you to view the summary of all policies. It displays a
list of all policies that exist in the tool. The policy with the latest change appears at the
beginning of the list.
The page supports partial search for all policies. You can search a policy and modify it. You can
also delete a policy on the All Policies—Summary page.
The View link appears enabled for all users. The other action buttons and links appear enabled
only when the user has adequate permissions.
This feature is available to the Admin User and the Guest User.
To view a summary of policies:
To view all the policies:
32
o Go to the All Policies—Summary page. The page displays all subject groups.
To view a specific policy:
o Go to the All Policies —Summary page.
o Enter the search criteria.
o Click Search.
For more information on the available search options, refer to Search for a Policy — Field
Details.
The following section details the list of available fields.
View Summary of Policies—Field Details
Field Details
List of Policies
Policy Name The name of the policy. You can click the policy name to go to the
View/Edit page for that policy.
Policy Type The type of policy. GLOBAL assignments for Blacklist and Whitelist
policies are indicated.
Created by The network ID of the user who created the policy.
Last Modified The time stamp when the policy was created/last modified.
Last modified By The author of the last change on the policy.
Status The latest status (enabled or disabled) of the policy.
Actions The actions you can perform on the policy. The available options
are:
View
Enable (or Disable)
Submit a Trace Ticket
Assign Subjects/Subject Groups
Delete
View Policy Violations
Export
33
Search for a Policy
The Policy — Search page enables you to search for a policy and then perform actions on it. It
allows search based on four parameters — Policy Name, Resources, Subjects, and Subject
Groups.
The page allows partial search. The system supports the percentage sign (%) as the wild
character for partial search. You can embed it before, after, or within the search string. For
example, %ABCSubjectGroup, ABCSubjectGroup%, ABC%SubjectGroup, and
%ABC%SubjectGroup%.
To search for a policy:
Go to the All Policies — Search page.
Enter the search criteria.
Click Search.
The following section details the available search options.
Search for a Policy—Field Details
Field Details
Search Options
Policy Name Search for a policy by providing the policy type and the policy
name.
Resources Search for a policy by providing the resource type, resource, and
operation related to the policy.
Subjects Search for a policy by providing the subject type and the subject
name that is assigned to the policy.
Subject Groups Search for a policy by providing the subject group type and the
subject group name that is assigned to the policy.
Search Options—Policy Name
These fields appear when you click Policy Name in Search Options.
Policy Type The type of the policy you are searching. The available options are:
Authorization Policy
Blacklist Policy
34
Field Details
Rate Limiting Policy
Whitelist Policy
Box above Search The name of the policy you are searching. Partial search is
supported. Empty string will match all.
Effect The effect for the rate limiting policy you are searching. This list is
available only if you select Rate Limiting Policy in Policy Type. The
available options are:
BLOCK
CHALLENGE
FLAG
Search Options—Resources
These fields appear when you click Resources in Search Options.
The resource type that is assigned to the policy that you are
searching.
Resource Type
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resource section.
Operation The operation that is assigned to the policy you are searching. It is
an optional selection.
Search Options—Subjects
These fields appear when you click Subjects in Search Options.
35
Field Details
Subject Type The subject type that is assigned to the policy you are searching.
Box above Search The name of the subject that is assigned to the policy you are
searching. Partial search is supported.
Search Options—Subject Groups
These fields appear when you click Subject Groups in Search Options.
Subject Type The subject group type that is assigned to the policy you are
searching.
Box above Search The name of the subject group that is assigned to the policy you are
searching. Partial search is supported.
The screen displays summary of the policies as per the search result. For more information on
the fields in the summary, refer View Summary of Policies—Field Details.
The All Policies — Search page displays the count of policies matching the search criteria
“# results found”, where # represents number of matching results.
The All Policies —Search page includes pagination and displays 15 results at a time. The
following are the available options:
Click Next or to view the results on the next page.
Click Previous or to view the results on the previous page.
Click a specific number to view the result set on a specific page.
Enter a page number in Go to Page box and click Go to view the result set on a specific
page.
If there are no search results that match your search criteria, an error message (“No
search results available”) appears in the list of policies.
You can assign subject groups, for example, EBAYAPPGroup (subject group) contains “subject
A” and “subject B” that are assigned to “policy B”. If you search for “subject A” or “subject B”
on the All Policies—Search page, the policy results display “policy B” because “subject A”
belongs to “EBAYAPPGroup” that has already been assigned to this policy.
You can assign types, for example, “IP” type is assigned to “policy A”. When you search for a
subject that belongs to the “IP” type, policy results display “policy A”.
36
If you search for Resources in the Search Options section, you can click Click here for
details to navigate to the Asset Repository page. On the Asset Repository page, you can
search for the service ID and version number mapping. The search result provides the
service name, which you can select from the Resource drop-down list box on the Modify
Policy page.
Create Policy
Users can create policies by providing the name and description for the policy and assigning one
or more resources to the policy. A policy is always created in a disabled state to ensure that no
policy is accidentally applied without due diligence. The policy can be enforced only after at
least one subject and/or subject group is assigned to the policy. Users can modify subjects
and/or subject groups any number of times after creating the policy.
You can create the following policies:
Create Authorization Policy
Create Rate Limiting Policy
Create Blacklist Policy
Create Whitelist Policy
Users have to enable a policy after making the relevant assignments to the policy. Note that the
service must be configured to have the appropriate handler for the policy to be enabled at run
time. For configuring a handler, prior to enabling a service, please check
https://wiki2.arch.ebay.com/confluence/display/SOADOC/3.0+Security+Services.
Modify Policy
Please refer to the specific policy you want to modify:
Modify Authorization Policy
Modify Rate Limiting Policy
Modify Blacklist Policy
Modify Whitelist Policy
Enable Policy
You have to enable a policy in the relevant environment for it to be effective for the assigned
resources, subjects, and subject groups. You cannot enable a policy until you have at least one
resource and at least one subject or subject group assigned to it.
This feature is available to the Admin User.
To enable a policy:
37
On the All Policies—Summary page, click Enable in the Actions column of the
corresponding policy, and then click OK on the confirmation message.
Users have to enable a policy after making the relevant assignments to the policy. Note that the
service must be configured to have the appropriate handler for the policy to be enabled at run
time. For configuring a handler, prior to enabling a service, please refer to
https://wiki2.arch.ebay.com/confluence/display/SOADOC/3.0+Security+Services.
For further details, please refer to Configure Service at Run Time for Policies.
Disable Policy
You can disable a policy in the relevant environment if you do not want to implement its rules
for the assigned resources, subjects, and subject groups for a time interval.
This feature is available to the Admin User.
To disable a policy:
On the All Policies—Summary page, click Disable in the Actions column of the
corresponding policy, and then click OK on the confirmation message.
Import Policy
You can import new policies using an XML file with the .policy extension. The imported
policies are in the disabled state. You can enable a policy using Enable Policy.
You cannot import a policy that is already available in the system. An error message
appears.
You cannot import files without the .policy extension. A relevant error message
appears.
The following snippet shows the PolicyTemplate.policy format.
# snippet.policygrp.begin
Please fill in
38
0
-->
please fill in
please fill in
please fill in
please fill in
Please fill in
Please fill in
10.12.23.56
4) if you need to assign all subject from a subject type to a policy, then add subject section as:
All {%type}
e.g. All IP
-->
Please fill in
-->
39
please fill in
please fill in
please fill in
# snippet.policygrp.end
# snippet.PolicyTemplate.begin
Please fill in
0
-->
please fill in
please fill in
please fill in
please fill in
40
Please fill in
Please fill in
10.12.23.56
4) if you need to assign all subject from a subject type to a policy, then add subject section as:
![CDATA[All {%type}]]
e.g.
-->
-->
please fill in
41
please fill in
please fill in
# snippet.PolicyTemplate.end
# snippet.SOABenchmarkService.begin
SOABenchmarkService_Authz
SOABenchmarkService
invoke
echo
doNothing
getVersion
invokeEcho
SOABenchmarkService_EBAYAPP
SOABenchmarkService_RL
Flag
1
86400
86400
10]]>
SOABenchmarkService
invoke
42
echo
getVersion
invokeEcho
doNothing
SOABenchmarkService_EBAYAPP
# snippet.SOABenchmarkService.end
In the previous PolicyTemplate.policy code snippet, remove the ,
, and tags if the policy does not assign subjects or
subject groups. Remove the tags marked for the RL policy if it is an AUTHZ policy. Replace
please fill in with the real value before you import a policy.
To import a policy :
1. On the left-navigation pane, click Import.
2. On the Please choose a policy definition file… pop-up window, click Browse to select
the policy file. You can import multiple policies in a single file. For more information on
specific fields, refer to Import Policy—Field Details.
3. Click Import. The policies are imported.
Import a Policy—Field Details
Field Details
Box adjacent to Import The path of the .policy file that you want to import.
Export Policy
You can export policies to a file with the .policy extension. The following snippet shows the
SOABenchmarkService.policy format.
# snippet.policygrp.begin
Please fill in
0
-->
please fill in
please fill in
please fill in
please fill in
Please fill in
Please fill in
10.12.23.56
4) if you need to assign all subject from a subject type to a policy, then add subject section as:
All {%type}
e.g. All IP
-->
Please fill in
-->
please fill in
please fill in
please fill in
# snippet.policygrp.end
# snippet.PolicyTemplate.begin
Please fill in
0
-->
please fill in
45
please fill in
please fill in
please fill in
Please fill in
Please fill in
10.12.23.56
4) if you need to assign all subject from a subject type to a policy, then add subject section as:
![CDATA[All {%type}]]
e.g.
-->
-->
please fill in
please fill in
please fill in
# snippet.PolicyTemplate.end
# snippet.SOABenchmarkService.begin
SOABenchmarkService_Authz
SOABenchmarkService
invoke
echo
doNothing
getVersion
invokeEcho
SOABenchmarkService_EBAYAPP
SOABenchmarkService_RL
Flag
1
86400
86400
10]]>
47
SOABenchmarkService
invoke
echo
getVersion
invokeEcho
doNothing
SOABenchmarkService_EBAYAPP
# snippet.SOABenchmarkService.end
To export a policy:
1. On the All Policies—Summary page, select the relevant policies. You can export multiple
policies in a single file. Click Export.
2. On the Export Policies pop-up window, you can select the Include Subject Group
Definition check box to include the subject group details assigned to the policies.
3. Click Export. The selected policies are exported to a .policy file.
You can also click Export on the menu in the Actions column to export a policy.
The file with multiple policies is saved with the same name as the first selected policy on the All
Policies—Summary page.
Delete Policy
You can delete a policy when it is no longer required. You can delete a policy that is enabled or
disabled.
This feature is available to the Admin User.
To delete a policy:
1. On the All Policies—Summary page, select the check box next to the name of the policy
you want to delete.
2. Click Delete, and then click OK on the confirmation message.
48
You can also click Delete on the menu in the Actions column for the corresponding policy
to delete the policy.
Deploy Policy
Please refer to Deploying and Promoting Policies for details about the deployment
environments and the necessity of manually promoting policies.
49
Chapter 5: Managing Authorization Policy
The authorization policy determines if an entity has access to a resource.
Please refer to Concepts and Overview for an example of the authorization policy.
You can create an authorization policy and assign resources, subjects, and subject groups to it.
You can modify the resources, subjects, and subject groups that are assigned to an
authorization policy.
This topic contains the following subtopics:
Create Authorization Policy
View Authorization Policy Details
Modify Authorization Policy Details
For the actions you can perform on a policy, please refer to the relevant section:
View Summary of Policies
Search for a Policy
Enable a Policy
Disable a Policy
Import a Policy
Export a Policy
Delete a Policy
Deploy a Policy
Create Authorization Policy
The Authorization Policy—Create page enables you to create an authorization policy. You have
to assign at least one resource to an authorization policy while creating it.
To create an authorization policy:
1. On the Authorization Policy—Create page, type the name of the authorization policy
and its description. For more information on specific fields, refer to Create
Authorization Policy—Field Details.
2. Click Create.
50
Assign Resources to Authorization Policy
You have to assign at least one resource to an authorization policy while creating it. You can
assign resources to an authorization policy at the operational level only.
To assign resources to an authorization policy:
1. On the Authorization Policy—Create page, select the relevant details in the Resources section.
For more information on specific fields, refer to Create Authorization Policy—Field Details.
2. Click Assign Resource.
Assigning a resource is part of the procedure required for creating an authorization policy.
Create Authorization Policy—Field Details
Field Details
The name of the authorization policy you want to create. You can
Policy Name type a maximum of 128 characters including a-z, A-Z, 0-9, period (.),
underscore (_), and hyphen (-).
The description of the authorization policy you are creating. You
Policy Description
can type a maximum of 256 characters.
Resources
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resource section.
51
Field Details
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the authorization policy
Selected Operations you are creating. Select an operation and click to move it to
List of all Operations. You can select more than one operation by
pressing CTRL and clicking the relevant operations.
Assign Subjects or Subject Groups to Authorization Policy
You can assign subjects and subject groups to an authorization policy. This procedure explains
the process of assigning subjects and subject groups to an authorization policy that has not
been assigned any subjects and subject groups. If a subject or subject group has already been
assigned to an authorization policy, you can modify the existing subjects and subject groups or
assign more subjects and subject groups.
To assign subjects or subject groups to an authorization policy:
1. On the Authorization Policy—View/Edit page, enter the details as required in the
Assigned Subjects/Subject Groups section, and click Assign more Subjects/Subject
Groups.
OR
You can also click Assign Subjects/Subject Groups on the menu in the Actions column for
the policy to which you want to assign subjects or subject groups.
For more information on specific fields, refer to Assign Subjects or Subject Groups to
Authorization Policy—Field Details.
2. On the Edit Subjects/Subject groups for pop-up window, click Save.
Assign Subjects or Subject Groups to Authorization Policy—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the authorization policy.
52
Field Details
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of Subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the authorization policy.
Selected Subjects Select a subject and click to move it to List of all Subjects. You
can select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
authorization policy and click Add. The IP or PROXY address
appears in Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
authorization policy. You have to assign at least one IP or PROXY
address, as applicable, to the authorization policy. Click Delete to
remove the selected IP or PROXY address from the authorization
Added List
policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups
subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
53
Field Details
clicking the relevant subject groups.
The list of subject groups that you want to assign to the
Selected Subject Groups authorization policy. Select a subject group and click to move it
to List of all Subject Groups. You can select more than one subject
group by pressing CTRL and clicking the relevant subject groups.
Submit a Trace Ticket for a Subject
You can submit the trace ticket to make a policy immediately effective for a subject. This option
is not available for a disabled policy. The system has the ability to have the policy change
effective before the configured 30 minutes (on an on-demand basis).
To submit a trace ticket:
1. On the Subject Groups—View/Edit page modify the details as required.
OR
You can also submit the trace ticket on the Subject Groups—Summary page using the
Submit a trace ticket right-click menu option.
2. Click Save.
3. Click Yes, I'd like to submit a ticket to do that now.
4. On the Submit a trace ticket to make policy effective immediately pop-up window,
enter the details as required, and click Submit.
For more information on specific fields, refer to Submit a Trace Ticket for a Subject—Field
Details
You must know the pool name before you raise a ticket. The ticket is of the OPSVC (Operations
Service) type. You can log on to http://trace and check the status of your ticket.
Submit a Trace Ticket for a Subject—Field Details
Field Details
Environment The environment is Production or QA.
Pool Name The name of the pool for refreshing the cache bean. It is a
54
Field Details
mandatory field.
Detail Info The description of the action link to refresh the cache bean.
View Authorization Policy Details
You can view the details of an authorization policy, such as the resources and subject groups
that are assigned to it.
To view authorization policy details:
On the All Policies—Summary page, click the name of the relevant authorization policy,
and view its details.
You can also click View on the menu in the Actions column for a policy to view the policy
details.
View Authorization Policy Details—Field Details
Field Details
Policy Information
Policy Name The name of the authorization policy.
Policy Description The description of the authorization policy.
The Policy Status field displays the status of the policy (enabled or
Policy
disabled).
Resources
Click Assign another Resource to assign more resources to the authorization policy.
Click Delete all to delete all existing resources that are assigned to the authorization
policy.
The resource type that is assigned to the policy that you are
Resource Type
searching.
55
Field Details
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
Resource
searching.
The operations that are assigned to the authorization policy. Click
Operations
See All to view the list of all assigned operations.
Click Edit to modify the existing resource that is assigned to the
authorization policy.
Actions
Click Delete to delete the existing resource that is assigned to the
authorization policy.
Assigned Subjects/Subject Groups
Click Assign more subjects/subject groups to assign more subjects and subject groups to
the authorization policy.
Click Delete all to delete all the existing subjects and subject groups that are assigned to
the authorization policy.
The type of subjects and/or subject groups assigned to the
Subject Type
authorization policy.
The subjects assigned to the authorization policy. Click See All to
Subjects view the list of all subjects that are assigned to the authorization
policy.
The subject groups that are assigned to the authorization policy.
Subject Groups Click See All to view the list of all subject groups that are assigned
to the authorization policy.
Click Edit to modify the existing subjects and/or subject groups that
Actions
are assigned to the authorization policy.
56
Field Details
Click Delete to delete the existing subjects and subject groups that
are assigned to the authorization policy.
Modify Authorization Policy Details
You can modify the details of an authorization policy. You can also modify the resources,
subjects, and subject groups that are assigned to the authorization policy.
To modify an authorization policy:
1. On the All Policies—Summary page, click the name of the relevant authorization policy,
and modify the details as required.
2. Click Save.
Modify Authorization Policy Information
You can modify the name and description of an authorization policy.
To modify authorization policy information:
1. On the Authorization Policy—View/Edit page, click Edit in the Policy Information section.
2. On the Edit Policy Information pop-up window, modify the policy information as
required, and click Add Changes.
3. On the Authorization Policy—View/Edit page, click Save.
Modify Authorization Policy Information—Field Details
Field Details
The name of the policy. You can type a maximum of 128 characters
Policy Name
including a-z, A-Z, 0-9, period (.), underscore (_), and hyphen (-).
The description of the policy. You can type a maximum of 256
Policy Description
characters.
Modify Assigned Resources
You can modify the resources that are assigned to an authorization policy.
To modify assigned resources:
57
1. On the Authorization Policy—View/Edit page, click Edit in the Resources section.
2. On the Edit Resource for Policy pop-up window, modify the assigned
resource as required, and click Add Changes.
3. On the Authorization Policy—View/Edit page, click Save.
Modify Assigned Resources—Field Details
Field Details
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the rate limiting policy
Selected Operations you are creating. Select an operation and click to move it to
List of all Operations. You can select more than one operation by
pressing CTRL and clicking the relevant operations.
Modify Assigned Subjects or Subject Groups
You can modify the subjects and/or subject groups that are assigned to an authorization policy.
To modify assigned subjects or subject groups:
58
1. On the Authorization Policy—View/Edit page, click Edit corresponding to the relevant
subject type in the Assigned Subjects/Subject Groups section.
3. On the Edit Subjects/Subject Groups for Policy pop-up window, modify
the subjects or subject groups as required, and click Add Changes.
For more information on specific fields, refer to Modify Assigned Subjects or Subject
Groups—Field Details.
4. On the Authorization Policy—View/Edit page, click Save.
Modify Assigned Subjects or Subject Groups—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the authorization policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects. Only exact match supported.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the authorization policy.
Selected Subjects Select a subject and click to move it to List of all Subjects. You
can select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
authorization policy and click Add. The IP or PROXY address
appears in Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
Added List The list of IP or PROXY addresses that you want to assign to the
authorization policy. You have to assign at least one IP or Proxy
59
Field Details
address, as applicable, to the authorization policy. Click Delete to
remove the selected IP or PROXY address from the authorization
policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the
Selected Subject Groups authorization policy. Select a subject group and click to move it
to List of all Subject Groups. You can select more than one subject
group by pressing CTRL and clicking the relevant subject groups.
Assign More Resources
You can assign more resources to an authorization policy.
To assign more resources to an authorization policy:
1. On the Authorization Policy—View/Edit page, click Assign another Resource in the Resources
section.
5. On the Add Resource to Policy pop-up window, add the relevant resource as
required, and click Add Changes.
6. On the Authorization Policy—View/Edit page, click Save.
Assign More Resources—Field Details
Field Details
The resource type that is assigned to the policy that you are
Resource Type
searching.
60
Field Details
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the rate limiting policy
Selected Operations you are creating. Select an operation and click to move it to
List of all Operations. You can select more than one operation by
pressing CTRL and clicking the relevant operations.
Assign More Subjects or Subject Groups
You can assign more subjects and/or subject groups to an authorization policy.
To assign more subjects or subject groups to an authorization policy:
1. On the Authorization Policy—View/Edit page, click Assign more subjects/subject groups in the
Assigned Subjects/Subject Groups section.
7. On the Edit Subjects/Subject Groups for Policy pop-up window, modify the
subjects or subject groups as required, and click Add Changes.
8. On the Authorization Policy—View/Edit page, click Save.
61
Assign More Subjects or Subject Groups—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the authorization policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the authorization policy.
Selected Subjects Select a subject and click to move it to List of all Subjects. You
can select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
authorization policy and click Add. The IP or PROXY address
appears in Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
authorization policy. You have to assign at least one IP or proxy
address, as applicable, to the authorization policy. Click Delete to
remove the selected IP or PROXY address from the authorization
Added List
policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
62
Field Details
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the
Selected Subject Groups authorization policy. Select a subject group and click to move it
to List of all Subject Groups. You can select more than one subject
group by pressing CTRL and clicking the relevant subject groups.
63
Chapter 6: Managing Rate Limiting Policy
Rate limiting refers to setting limits on the number of times an entity can access a resource
within a given amount of time. Rate limiting helps in protecting resources from security threats
and enforces tiered access to resources based on the business contract with a caller. Eventually,
rate limiting will also help with chargeback for using a service. You can assign resources to a
rate limiting policy. You can also assign subjects and/or subject groups to a rate limiting policy,
however, this assignment is done through one of the following lists:
Inclusion List: Collection of subject or subject groups that are granted access to the
resources assigned to a policy. You must assign at least one subject or subject group to
the inclusion list.
Exclusion List: Collection of subject or subject groups that do not have access to the
resources assigned to a policy. These subject/subject group in the exclusion list are a
subset of the subjects/subject groups that are part of the inclusion list.
For example, if subject group A is part of the inclusion list and has subjects x, y, and z. If subject
x is part of the exclusion list, then only subjects y and z will be enlisted in the inclusion list.
Please refer to Concepts and Overview for an example of the rate limiting policy.
You can create a rate limiting policy and assign/modify resources, subjects, and subject groups
to it.
This topic contains the following subtopics:
Create Rate Limiting Policy
View Rate Limiting Policy
Modify Rate Limiting Policy
For the actions you can perform on a policy, please refer to the relevant section:
View Summary of Policies
Search for Policy
Enable Policy
Disable Policy
Import Policy
Export Policy
Delete Policy
Deploy Policy
64
Please refer to Manage Access Control for a Policy for details on access privileges and
permissions.
Create Rate Limiting Policy
The Rate Limiting Policy—Create page enables you to create a rate limiting policy. You have to
assign at least one resource to a rate limiting policy while creating it.
To create a rate limiting policy:
1. On the Rate Limiting Policy—Create page, type the name of the rate limiting policy and
other details.
For more information on specific fields, refer to Create Rate Limiting Policy—Field
Details.
9. Assign resources to the rate limiting policy.
10. Click Create.
Assign Resources to the Rate Limiting Policy
You can assign resources to a rate limiting policy at the operational level or at the service level.
When you assign resources at the service level, all the operations under the service are
assigned to the policy. When you assign resources at the operation level, you have to select the
operations you want to assign to the policy.
To assign resources to a rate limiting policy:
1. On the Rate Limiting Policy—Create page, select the relevant details in the Resources
section. For more information on specific fields, refer to Create Rate Limiting Policy—
Field Details.
11. Click Assign Resource.
Assigning a resource is part of the procedure required for creating a rate limiting policy.
Create Rate Limiting Policy—Field Details
Field Details
The name of the rate limiting policy you want to create. You can
Policy Name type a maximum of 128 characters including a-z, A-Z, 0-9, period (.),
underscore (_), and hyphen (-).
65
Field Details
The description of the rate limiting policy you are creating. You can
Policy Description
type a maximum of 256 characters.
The email addresses of the users to whom an alert should be sent
out in case of rate limiting policy violation. Add the email addresses
Policy Based Email Address separated by a comma.
For example: abc@ebay.com,xyz@ebay.com
The subjects to whom an alert should be sent out in case of rate
Subject Based Email
limiting policy violation. Select the check boxes against the desired
Address
subjects.
The time period (in seconds) for which the effect on violation of the
Effect Duration
rate limiting policy should be enforced.
The time period after which the count for the rate limiting policy
should be reset. The available options are:
Rollover Period 3600 seconds (one hour)
86400 seconds (24 hours)
The priority of the rate limiting policy. The highest priority that you
Priority
can set is “1.”
The action that should be enforced when the rate limiting policy is
violated. The available options are:
BLOCK
The Add Soft-Limit Condition link appears only when BLOCK option
Effect is selected.
CHALLENGE
FLAG
SOFT-LIMIT
66
Field Details
A logical condition for the rate limiting policy. You can also build
Condition
one using the Use Condition Builder link.
Use Condition Builder
These fields appear when you click Use Condition Builder under the Condition box.
Service The service for which you want to control access.
The operation for which you want to control access. This is an
Operation (optional)
optional field.
RL keyword Click the relevant value.
Operator Click the relevant operator.
Text Type the relevant value in numbers.
Logic Operator (optional) Click the relevant operator. This is an optional field.
Add button Click to add the condition build to the Condition box.
Resources
The level at which you want to assign resources to the rate limiting
policy. The available options are:
Level Operation Level
Service Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type
You can filter policies under the following resources types:
67
Field Details
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
o Click Click here for details in the Resource section.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the rate limiting policy
Selected Operations you are creating. Select an operation and click to move it to
List of all Operations. You can select more than one operation by
pressing CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resource section.
68
Assign Subjects or Subject Groups to Inclusion List
You can assign subjects or subject groups to the inclusion list of a rate limiting policy. This
procedure explains the process of assigning subjects and subject groups to a rate limiting policy
that has not been assigned any subjects and subject groups. If a subject or subject group has
already been assigned to the inclusion list, you can modify them or assign more subjects or
subject groups.
For further details about the inclusion list, please refer to Concepts and Overview.
To assign subjects or subject groups to the inclusion list:
1. On the Rate Limiting Policy—View/Edit page, enter the details as required in the
Inclusion List section, and click Add Changes. .
2. On the Rate Limiting Policy—View/Edit page, click Save.
Assign Subjects or Subject Groups to Inclusion List—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the inclusion list.
Assign Subjects
Select to assign all the subjects to the inclusion list. The other
Select All Subjects options in the Assign Subjects section will not be available if you
select Assign All Subjects.
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of Subjects and click to move it to
Selected Subjects.
The subjects that you want to assign to the inclusion list. You have
Selected Subjects to assign at least one subject to the inclusion list. Select the subject
and click to move it to List of all Subjects. You can select more
69
Field Details
than one subject by pressing CTRL and clicking the relevant
subjects.
Type the IP or PROXY address that you want to assign to the
inclusion list and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
inclusion list. You have to assign at least one IP or PROXY address,
as applicable, to the inclusion list. Click Delete to remove the
Added List selected IP or PROXY address from the inclusion list.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
Click the relevant option. The available options are:
Assign Type ApplyAll
ApplyToEach
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the inclusion
Selected Subject Groups list. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
70
Assign Subjects or Subject Groups to the Exclusion List
You can assign subjects and subject groups to the exclusion list of a rate limiting policy. This
procedure explains the process of assigning subjects and subject groups to a rate limiting policy
that has not been assigned any subjects or subject groups. If a subject or subject group has
already been assigned to an exclusion list, you can modify them or assign more subjects or
subject groups.
For further details about the exclusion list, please refer to Concepts and Overview.
To assign subjects or subject groups to the exclusion list:
1. On the Rate Limiting Policy—View/Edit page, enter the details as required in the
Exclusion List section, and click Assign.
2. On the Rate Limiting Policy—View/Edit page, click Save.
Assign Subjects or Subject Groups to Exclusion List—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the exclusion list.
Assign Subjects
Type the name of a subject and click Search.Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the exclusion list. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Box adjacent to Add Type the IP or PROXY address that you want to assign to the
exclusion list and click Add. The IP or PROXY address appears in
71
Field Details
Added List.
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
exclusion list. Click Delete to remove the selected IP or PROXY
address from the exclusion list.
Added List
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
Click the relevant option. The available options are:
Assign Type ApplyAll
ApplyToEach
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the exclusion
Selected Subject Groups list. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Submit a Trace Ticket for a Subject
You can submit the trace ticket to make a policy immediately effective for a subject. This option
is not available for a disabled policy. The system has the ability to have the policy change
effective before the configured 30 minutes (on an on-demand basis).
To submit a trace ticket:
72
1. On the Subject Groups—View/Edit page modify the details as required.
OR You can also submit the trace ticket on the Subject Groups—Summary page using
the Submit a trace ticket right-click menu option.
2. Click Save.
3. Click Yes, I'd like to submit a ticket to do that now.
4. On the Submit a trace ticket to make policy effective immediately pop-up window,
enter the details as required, and click Submit.
For more information on specific fields, refer to Submit a Trace Ticket for a Subject—Field
Details
You must know the pool name before you raise a ticket. The ticket is of the OPSVC
(Operations Service) type. You can log on to http://trace and check the status of your
ticket.
Submit a Trace Ticket for a Subject—Field Details
Field Details
Environment The environment is Production or QA.
Pool Name The name of the pool for refreshing the cache bean. It is a
mandatory field.
Detail Info The description of the action link to refresh the cache bean.
View Rate Limiting Policy
You can view the details of a rate limiting policy, such as the resources and subject groups that
are assigned to it.
To view rate limiting policy details:
On the All Policies—Summary page, click the name of the relevant rate limiting policy,
and view its details.
You can also click View on the menu in the Actions column for a policy to view the policy
73
details.
View Rate Limiting Policy Details—Field Details
Field Details
Policy Information
Policy Name The name of the rate limiting policy.
Policy Description The description of the rate limiting policy.
The Policy Status field displays the status of the policy (enabled or
Policy Status
disabled).
The email addresses of the users to whom an alert should be sent
Policy Based Email Address
out in case of rate limiting policy violation.
Subject Based Email The subjects to whom an alert should be sent out in case of rate
Address limiting policy violation.
The time period (in seconds) for which the effect on violation of the
Effect Duration
rate limiting policy will be enforced.
The time period (in seconds) after which the count for the rate
Rollover Period
limiting policy is reset.
The priority of the rate limiting policy. The highest priority is
Priority
indicated by “1.”
The action that will be enforced on violation of the rate limiting
Effect
policy.
Condition The logical condition for the rate limiting policy.
Resources
Click Assign another Resource to assign more resources to the rate limiting policy.
Click Delete all to delete all existing resources that are assigned to the rate limiting policy.
74
Field Details
The resource type that is assigned to the policy that you are
searching.
Resource Type
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resources section.
The operations that are assigned to the rate limiting policy. Click
Operations
See All to view the list of all assigned operations.
Click Edit to modify the existing resource that is assigned to the
rate limiting policy.
Actions
Click Delete to delete the existing resource that is assigned to the
rate limiting policy.
Inclusion List
Click Assign more Subjects/Subject Groups to assign more subjects and/or subject
groups to the inclusion list.
Click Delete all to delete all the existing subjects and subject groups that are assigned to
the inclusion list.
The type of subjects and/or subject groups assigned to the
Subject Type
inclusion list.
The subjects assigned to the inclusion list. Click See All to view the
Subjects
list of all subjects that are assigned to the inclusion list.
Subject Groups The subject groups assigned to the inclusion list. Click See All to
75
Field Details
view the list of all subject groups that are assigned to the inclusion
list.
Click Edit to modify the existing subjects and/or subject groups that
are assigned to the inclusion list.
Actions
Click Delete to delete the existing subjects and subject groups that
are assigned to the inclusion list.
Exclusion List
Click Assign more Subjects/Subject Groups to assign more subjects and/or subject
groups to the exclusion list.
Click Delete all to delete all the existing subjects and subject groups that are assigned to
the exclusion list.
The type of subjects and/or subject groups assigned to the
Subject Type
exclusion list.
Type the criteria for the name of a subject and click Search.Partial
Box adjacent to Search search is supported. The subjects that match the search criteria
appears in List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the inclusion list. You have
to assign at least one subject to the inclusion list. Select the subject
Selected Subjects and click to move it to List of all Subjects. You can select more
than one subject by pressing CTRL and clicking the relevant
subjects.
Assign Subject Groups
Assign All Subjects Select to assign all the subjects to the inclusion list. The other
options in the Assign Subjects section will not be available if you
76
Field Details
select Assign All Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subject and click to move it to Selected
Subjects.
The subjects that you want to assign to the inclusion list. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Modify Rate Limiting Policy
You can modify the details of a rate limiting policy. You can also modify the resources, subjects,
and subject groups that are assigned to the rate limiting policy.
To modify a rate limiting policy:
1. On the All Policies—Summary page, click the name of the relevant rate limiting policy,
and modify the details as required.
2. Click Save.
Modify Rate Limiting Policy Information
You can modify the name and other details of a rate limiting policy.
To modify rate limiting policy information:
1. On the Rate Limiting Policy—View/Edit page, click Edit in the Policy Information
section.
2. On the Edit Policy Information pop-up window, modify the policy information as
required, and click Add Changes.
3. On the Rate Limiting Policy—View/Edit page, click Save.
77
Modify Rate Limiting Policy Information—Field Details
Field Details
The name of the rate limiting policy. You can type a maximum of
Policy Name 128 characters including a-z, A-Z, 0-9, period (.), underscore (_),
and hyphen (-).
The description of the rate limiting policy. You can type a maximum
Policy Description
of 256 characters.
The time period (in seconds) for which the effect on violation of the
Effect Duration
rate limiting policy should be enforced.
The email addresses of the users to whom an alert should be sent
out in case of rate limiting policy violation. Add the email addresses
Policy Based Email Address separated by a comma. You can also delete the email addresses
from the textbox to remove the email addresses already added.
For example: abc@ebay.com,xyz@ebay.com
The subjects to whom an alert should be sent out in case of rate
Subject Based Email limiting policy violation. Select the check boxes against the desired
Address subjects. You can also clear the check boxes to remove the subjects
already added.
The time period after which the count for the rate limiting policy
should be reset. The available options are:
Rollover Period 3600 seconds (one hour)
86400 seconds (24 hours)
The priority of the rate limiting policy. The highest priority that you
Priority
can set is “1.”
The action that should be enforced when the rate limiting policy is
violated. The available options are:
Effect
BLOCK
The Add-Soft-Limit Condition link appears only when BLOCK
78
Field Details
option is selected. CHALLENGE
FLAG
SOFT-LIMIT
A logical condition for the rate limiting policy. You can also build
Condition
one using the Use Condition Builder link.
Use Condition Builder
These fields appear when you click Use Condition Builder under the Condition box.
Service The service for which you want to control access.
The operation for which you want to control access. This is an
Operation (optional)
optional field.
RL keyword Click the relevant value.
Operator Click the relevant operator.
Text Type the relevant value in numbers.
Logic Operator (optional) Click the relevant operator. This is an optional field.
Add button Click to add the condition build to the Condition box.
Modify Assigned Resources
You can modify the resources that are assigned to a rate limiting policy.
To modify assigned resources:
1. On the Rate Limiting Policy—View/Edit page, click Edit in the Resources section.
2. On the Edit Resource for Policy pop-up window, modify the assigned
resource as required, and click Add Changes.
For more information on specific fields, refer to Modify Assigned Resources—Field
Details.
79
3. On the Rate Limiting Policy—View/Edit page, click Save.
Modify Assigned Resources—Field Details
Field Details
The level at which you want to modify resources. The available
options are:
Level Operation Level
Service Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type
searching.
The name of the resource that is assigned to the policy that you are
Resource
searching.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the rate limiting policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type
searching.
80
Field Details
The name of the resource that is assigned to the policy that you are
Resource
searching.
Modify Subjects or Subject Groups Assigned to the Inclusion List
You can modify the subjects and/or subject groups that are assigned to the inclusion list of a
rate limiting policy.
To modify subjects or subject groups assigned to the inclusion list:
1. On the Rate Limiting Policy—View/Edit page, click Edit corresponding to the relevant
subject type in the Inclusion List section.
2. On the Edit Subjects/Subject groups for Policy pop-up window, modify
the subjects or subject groups as required, and click Add Changes.
3. On the Rate Limiting Policy—View/Edit page, click Save.
Modify Subjects or Subject Groups Assigned to the Inclusion List—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the inclusion list.
Assign Subjects
Select to assign all the subjects to the inclusion list. The other
Select All Subjects options in the Assign Subjects section will not be available if you
select Assign All Subjects.
Type the criteria for the name of a subject and click Search. Partial
Box adjacent to Search search is supported. The subjects that match the search criteria
appear in List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
Selected Subjects The subjects that you want to assign to the inclusion list. Select a
81
Field Details
subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
inclusion list and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
inclusion list. You have to assign at least one IP or PROXY address,
as applicable, to the inclusion list. Click Delete to remove the
Added List selected IP or PROXY address from the inclusion list.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
Select the relevant option. The available options are:
Assign Type ApplyAll
ApplyToEach
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the inclusion
Selected Subject Groups list. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
82
Modify Subjects or Subject Groups Assigned to the Exclusion List
You can modify the subjects and/or subject groups that are assigned to the exclusion list of a
rate limiting policy.
To modify subjects or subject groups assigned to the exclusion list:
1. On the Rate Limiting Policy—View/Edit page, click Edit corresponding to the relevant
subject type in the Exclusion List section.
2. On the Edit Exclusion List for Policy pop-up window, modify the subjects
or subject groups as required, and click Add Changes.
3. On the Rate Limiting Policy—View/Edit page, click Save.
Modify Subjects or Subject Groups Assigned to the Exclusion List—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the exclusion list.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the exclusion list. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
exclusion list and click Add. The IP or PROXY address appears in
Box adjacent to Add Added List.
This box is available only when you click IP or PROXY in
83
Field Details
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
exclusion list. Click Delete to remove the selected IP or PROXY
address from the exclusion list.
Added List
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
Click the relevant option. The available options are:
Assign Type ApplyAll
ApplyToEach
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the exclusion
Selected Subject Groups list. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Assign More Resources
You can assign more resources to a rate limiting policy.
To assign more resources to a rate limiting policy:
1. On the Rate Limiting Policy—View/Edit page, click Assign another Resources in the
Resources section.
2. On the Add Resource to Policy pop-up window, add the relevant
resource as required, and click Add Changes.
84
3. On the Rate Limiting Policy—View/Edit page, click Save.
Assign More Resources—Field Details
Field Details
The level at which you want to assign resources. The available
options are:
Level Operation Level
Service Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type
searching.
The name of the resource that is assigned to the policy that you are
Resource
searching.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the rate limiting policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type
searching.
85
Field Details
The name of the resource that is assigned to the policy that you are
Resource
searching.
Assign More Subjects or Subject Groups to the Inclusion List
You can assign more subjects and/or subject groups to the inclusion list of a rate limiting policy.
To assign more subjects or subject groups to the inclusion list:
1. On the Rate Limiting Policy—View/Edit page, click Assign more Subjects/Subject
Groups in the Inclusion List section.
2. On the Edit Subjects/Subject groups for policy pop-up window, modify
the subjects or subject groups as required, and click Add Changes.
For more information on specific fields, refer to Assign More Subjects or Subject
Groups to the Inclusion List—Field Details.
3. On the Rate Limiting Policy—View/Edit page, click Save.
Assign More Subjects or Subject Groups to the Inclusion List—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the inclusion list.
Type the criteria for the name of a subject and click Search. Partial
Box adjacent to Search search is supported. The subjects that match the search criteria
appears in List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the inclusion list. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
86
Field Details
Type the IP or PROXY address that you want to assign to the
inclusion list and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
inclusion list. You have to assign at least one IP or PROXY address,
as applicable, to the inclusion list. Click Delete to remove the
Added List selected IP or PROXY address from the inclusion list.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
Select the relevant option. The available options are:
Assign Type ApplyAll
ApplyToEach
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the inclusion
Selected Subject Groups list. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Assign More Subjects or Subject Groups to the Exclusion List
You can assign more subjects and/ or subject groups to the exclusion list of a rate limiting
policy.
87
To assign more subjects or subject groups to the exclusion list:
1. On the Rate Limiting Policy—View/Edit page, click Assign more Subjects/Subject
Groups in the Exclusion List section.
2. On the Add to Exclusion List of Policy pop-up window appears, modify
the subjects or subject groups as required, and click Add Changes.
3. On the Rate Limiting Policy—View/Edit page, click Save.
Assign More Subjects or Subject Groups to the Exclusion List—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the exclusion list.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the exclusion list. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
exclusion list and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
Added List The list of IP or PROXY addresses that you want to assign to the
exclusion list. Click Delete to remove the selected IP or PROXY
88
Field Details
address from the exclusion list.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
Click the relevant option. The available options are:
Assign Type ApplyAll
ApplyToEach
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the exclusion
Selected Subject Groups list. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
89
Chapter 7: Managing Blacklist Policy
A blacklist policy restricts the subjects and subject groups assigned to it from accessing the
resources assigned to it.
You can create a blacklist policy and assign resources, subjects, and subject groups to it. You
can modify the resources, subjects, and subject groups that are assigned to a blacklist policy.
Please refer to Concepts and Overview for an example of the blacklist policy.
This topic contains the following subtopics:
Create a Blacklist Policy
View Blacklist Policy Details
Modify Blacklist Policy Details
For the actions you can perform on a policy, please refer to the relevant section:
View Summary of Policies
Search for Policy
Enable Policy
Disable Policy
Import Policy
Export Policy
Delete Policy
Deploy Policy
Create a Blacklist Policy
The Blacklist Policy—Create page enables you to create a blacklist policy. You have to assign at
least one resource to a blacklist policy while creating it.
To create a blacklist policy:
1. On the Blacklist Policy—Create page, type the name of the blacklist policy and its
description.
For more information on specific fields, refer to Create Blacklist Policy—Field Details.
2. Assign resources to the blacklist policy.
4. Click Create.
90
Assign Resources to the Blacklist Policy
You can assign resources to a blacklist policy at the operational level, at the service level, or at
the global level. When you assign resources at the global level, all the services and operations
are assigned to the policy. When you assign resources at the service level, all the operations
under the service are assigned to the policy. When you assign resources at the operation level,
you have to select the operations you want to assign to the policy.
To assign resources to a blacklist policy:
1. On the Blacklist Policy—Create page, select the relevant details in the Resources
section. For more information on specific fields, refer to Create Blacklist Policy—Field
Details.
2. Click Assign Resource.
Assigning a resource is part of the procedure required for creating a blacklist policy.
Create Blacklist Policy—Field Details
Field Details
The name of the blacklist policy you want to create. You can type a
Policy Name maximum of 128 characters including a-z, A-Z, 0-9, period (.),
underscore (_), and hyphen (-).
The description of the blacklist policy you are creating. You can
Policy Description
type a maximum of 256 characters.
Resources
The level at which you want to assign resources to the blacklist
policy. The available options are:
Operation Level
Level
Service Level
Global Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
91
Field Details
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resources section.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the blacklist policy you
Selected Operations are creating. Select an operation and click to move it to List of
all Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
Resource The name of the resource that is assigned to the policy that you are
92
Field Details
searching.
To distinguish among the service names under different domains:
Click Click here for details in the Resources section.
Assign Subjects or Subject Groups to Blacklist Policy
You can assign subjects and subject groups to a blacklist policy. This procedure explains the
process of assigning subjects and subject groups to a blacklist policy that has not been assigned
any subjects and subject groups. If a subject or subject group has already been assigned to a
blacklist policy, you can modify the existing subjects and subject groups or assign more subjects
and subject groups.
To assign subjects or subject groups to a blacklist policy:
1. On the Blacklist Policy—View/Edit page, enter the details as required in the Assigned
Subjects/Subject Groups section, and click Assign more Subjects/Subject Groups.
2. On the Blacklist Policy—View/Edit page, click Save.
Assign Subjects or Subject Groups to Blacklist Policy—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the blacklist policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects
subject from the list and click to move it to Selected Subjects.
The subjects that you want to assign to the blacklist policy. Select a
Selected Subjects
subject and click to move it to List of all Subjects. You can
93
Field Details
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
blacklist policy and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
blacklist policy. You have to assign at least one IP or PROXY
address, as applicable, to the blacklist policy. Click Delete to
Added List remove the selected IP or PROXY address from the blacklist policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the blacklist
Selected Subject Groups policy. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Submit a Trace Ticket for a Subject
You can submit the trace ticket to make a policy immediately effective for a subject. This option
is not available for a disabled policy. The system has the ability to have the policy change
effective before the configured 30 minutes (on an on-demand basis).
To submit a trace ticket:
94
1. On the Subject Groups—View/Edit page modify the details as required.
OR You can also submit the trace ticket on the Subject Groups—Summary page using
the Submit a trace ticket right-click menu option.
3. Click Save.
4. Click Yes, I'd like to submit a ticket to do that now.
2. On the Submit a trace ticket to make policy effective immediately pop-up window,
enter the details as required, and click Submit.
For more information on specific fields, refer to Submit a Trace Ticket for a Subject—Field
Details
You must know the pool name before you raise a ticket. The ticket is of the OPSVC
(Operations Service) type. You can log on to http://trace and check the status of your
ticket.
Submit a Trace Ticket for a Subject—Field Details
Field Details
Environment The environment is Production or QA.
Pool Name The name of the pool for refreshing the cache bean. It is a
mandatory field.
Detail Info The description of the action link to refresh the cache bean.
View Blacklist Policy Details
You can view the details of a blacklist policy, such as the resources and subject groups that are
assigned to it.
To view blacklist policy details:
On the All Policies—Summary page, click the name of the relevant blacklist policy, and
view its details.
You can also click View on the menu in the Actions column for a policy to view the policy
95
details.
View Blacklist Policy Details—Field Details
Field Details
Policy Information
Policy Name The name of the blacklist policy.
Policy Description The description of the blacklist policy.
The Policy Status field displays the status of the policy (enabled or
Policy Status
disabled).
Resources
Click Assign another Resource to assign more resources to the blacklist policy.
Click Delete all to delete all existing resources that are assigned to the blacklist policy.
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resources section.
The operations that are assigned to the blacklist policy. Click See All
Operations
to view the list of all assigned operations.
Click Edit to modify the existing resource that is assigned to the
Actions blacklist policy.
Click Delete to delete the existing resource that is assigned to the
96
Field Details
blacklist policy.
Assigned Subjects/Subject Groups
Click Assign more subjects/subject groups to assign more subjects and subject groups to
the blacklist policy.
Click Delete all to delete all the existing subjects and subject groups that are assigned to
the blacklist policy.
The type of the subjects and/or subject groups assigned to the
Subject Type
blacklist policy.
The subjects assigned to the blacklist policy. Click See All to view
Subjects
the list of all subjects that are assigned to the blacklist policy.
The subject groups that are assigned to the blacklist policy. Click
Subject Groups See All to view the list of all subject groups that are assigned to the
blacklist policy.
Click Edit to modify the existing subjects and/or subject groups that
are assigned to the blacklist policy.
Actions
Click Delete to delete the existing subjects and subject groups that
are assigned to the blacklist policy.
Modify Blacklist Policy Details
You can modify the details of a blacklist policy. You can also modify the resources, subjects, and
subject groups that are assigned to the blacklist policy.
To modify a blacklist policy:
1. On the All Policies—Summary page, click the name of the relevant blacklist policy, and
modify the details as required.
2. Click Save.
Modify Blacklist Policy Information
You can modify the name and description of a blacklist policy.
97
To modify blacklist policy information:
1. On the Blacklist Policy—View/Edit page, click Edit in the Policy Information section.
2. On the Edit Policy Information pop-up window, modify the policy information as
required, and click Add Changes.
3. On the Blacklist Policy—View/Edit page, click Save.
Modify Blacklist Policy Information—Field Details
Field Details
The name of the policy. You can type a maximum of 128 characters
Policy Name
including a-z, A-Z, 0-9, period (.), underscore (_), and hyphen (-).
The description of the policy. You can type a maximum of 256
Policy Description
characters.
Modify Assigned Resources
You can modify the resources that are assigned to a blacklist policy.
To modify assigned resources:
1. On the Blacklist Policy—View/Edit page, click Edit in the Resources section.
2. On the Edit Resource for Policy pop-up window, modify the assigned
resource as required, and click Add Changes.
3. On the Blacklist Policy—View/Edit page, click Save.
Modify Assigned Resources—Field Details
Field Details
The level at which you want to modify resources. The available
options are:
Operation Level
Level
Service Level
Global Level
98
Field Details
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the blacklist policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type
searching.
99
Field Details
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the blacklist policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Modify Assigned Subjects or Subject Groups
You can modify the subjects and/or subject groups that are assigned to a blacklist policy.
To modify assigned subjects or subject groups:
1. On the Blacklist Policy—View/Edit page, click Edit corresponding to the relevant subject
type in the Assigned Subjects/Subject Groups section.
2. On the Edit Subjects/Subject Groups for Policy pop-up window, modify
the subjects or subject groups as required, and click Add Changes.
3. On the Blacklist Policy—View/Edit page, click Save.
100
Modify Assigned Subjects or Subject Groups—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the blacklist policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects
subject from the list and click to move it to Selected Subjects.
The subjects that you want to assign to the blacklist policy. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
blacklist policy and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
blacklist policy. You have to assign at least one IP or PROXY
address, as applicable, to the blacklist policy. Click Delete to
Added List remove the selected IP or PROXY address from the blacklist policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
List of all Subject Groups The list of all subject groups of the selected subject type. Select a
101
Field Details
subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the blacklist
Selected Subject Groups policy. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Assign More Resources
You can assign more resources to a blacklist policy.
To assign more resources to a blacklist policy:
1. On the Blacklist Policy—View/Edit page, click Assign another Resource in the Resources
section.
2. On the Add Resource to Policy pop-up window, add the relevant resource
as required, and click Add Changes.
3. On the Blacklist Policy—View/Edit page, click Save.
Assign More Resources—Field Details
Field Details
The level at which you want to assign resources. The available
options are:
Operation Level
Level
Service Level
Global Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
102
Field Details
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
5. Click Click here for details in the Add Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the blacklist policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
103
Field Details
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Add Resource pop-up
window.
Assign More Subjects or Subject Groups
You can assign more subjects and/or subject groups to a blacklist policy.
To assign more subjects or subject groups to a blacklist policy:
1. On the Blacklist Policy—View/Edit page, click Assign more subjects/subject groups in the
Assigned Subjects/Subject Groups section.
2. On the Edit Subjects/Subject Groups to Policy pop-up window, modify
the subjects or subject groups as required, and click Add Changes.
For more information on specific fields, refer to Assign More Subjects or Subject
Groups—Field Details.
3. On the Blacklist Policy—View/Edit page, click Save.
Assign More Subjects or Subject Groups—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the blacklist policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects
subject from the list and click to move it to Selected Subjects.
104
Field Details
The subjects that you want to assign to the blacklist policy. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
blacklist policy and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
blacklist policy. You have to assign at least one IP or PROXY
address, as applicable, to the blacklist policy. Click Delete to
Added List remove the selected IP or PROXY address from the blacklist policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the blacklist
Selected Subject Groups policy. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
105
Chapter 8: Managing Whitelist Policy
The whitelist policy allows the subjects and subject groups assigned to it to access the resources
assigned to it.
You can create a whitelist policy and assign resources, subjects, and subject groups to it. You
can modify the resources, subjects, and subject groups that are assigned to a whitelist policy.
This topic contains the following subtopics:
Create Whitelist Policy
View Whitelist Policy Details
Modify Whitelist Policy Details
For the actions you can perform on a policy, please refer to the relevant section:
View Summary of Policies
Search for Policy
Enable Policy
Disable Policy
Import Policy
Export Policy
Delete Policy
Deploy Policy
Create Whitelist Policy
The Whitelist Policy—Create page enables you to create a whitelist policy. You have to assign
at least one resource to a whitelist policy while creating it.
To create a whitelist policy:
1. On the Whitelist Policy—Create page, type the name of the whitelist policy and its
description.
For more information on specific fields, refer to Create Whitelist Policy—Field Details.
2. Assign resources to the whitelist policy.
3. Click Create.
106
Assign Resources to the Whitelist Policy
You can assign resources to a whitelist policy at the operational level, at the service level, or at
the global level. When you assign resources at the global level, all the services and operations
are assigned to the policy. When you assign resources at the service level, all the operations
under the service are assigned to the policy. When you assign resources at the operation level,
you have to select the operations you want to assign to the policy.
To assign resources to a whitelist policy:
1. On the Whitelist Policy—Create page, select the relevant details in the Resources
section.
For more information on specific fields, refer to Create Whitelist Policy—Field Details.
2. Click Assign Resource.
Assigning a resource is part of the procedure required for creating a whitelist policy.
Create Whitelist Policy—Field Details
Field Details
The name of the whitelist policy you want to create. You can type a
Policy Name maximum of 128 characters including a-z, A-Z, 0-9, period (.),
underscore (_), and hyphen (-).
The description of the whitelist policy you are creating. You can
Policy Description
type a maximum of 256 characters.
Resources
The level at which you want to assign resources to the whitelist
policy. The available options are:
Operation Level
Level
Service Level
Global Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
107
Field Details
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resource section.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the whitelist policy you
Selected Operations are creating. Select an operation and click to move it to List of
all Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
Resource
searching.
108
Field Details
To distinguish among the service names under different domains:
Click Click here for details in the Resource section.
Assign Subjects or Subject Groups to Whitelist Policy
You can assign subjects and subject groups to a whitelist policy. This procedure explains the
process of assigning subjects or subject groups to a whitelist policy that has not been assigned
any subjects and subject groups. If a subject or subject group has already been assigned to a
whitelist policy, you can modify the existing subjects and subject groups or assign more subjects
and subject groups.
To assign subjects or subject groups to a whitelist policy:
1. On the Whitelist Policy—View/Edit page, enter the details as required in the Assign
Subjects/Subject Groups section, and click Assign Subjects/Subject Groups.
2. On the Whitelist Policy—View/Edit page, click Save.
Assign Subjects or Subject Groups to Whitelist Policy—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the whitelist policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects
subject from the list and click to move it to Selected Subjects.
The subjects that you want to assign to the whitelist policy. Select a
Selected Subjects
subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
109
Field Details
relevant subjects.
Type the IP or PROXY address that you want to assign to the
whitelist policy and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
whitelist policy. You have to assign at least one IP or PROXY
address, as applicable, to the whitelist policy. Click Delete to
Added List remove the selected IP or PROXY address from the whitelist policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the whitelist
Selected Subject Groups policy. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Submit a Trace Ticket for a Subject
You can submit the trace ticket to make a policy immediately effective for a subject. This option
is not available for a disabled policy. The system has the ability to have the policy change
effective before the configured 30 minutes (on an on-demand basis).
To submit a trace ticket:
110
1. On the Subject Groups—View/Edit page modify the details as required.
OR You can also submit the trace ticket on the Subject Groups—Summary page using
the Submit a trace ticket right-click menu option.
5. Click Save.
6. Click Yes, I'd like to submit a ticket to do that now.
On the Submit a trace ticket to make policy effective immediately pop-up window, enter the
details as required, and click Submit. For more information on specific fields, refer to Submit a
Trace Ticket for a Subject—Field Details
You must know the pool name before you raise a ticket. The ticket is of the OPSVC (Operations
Service) type. You can log on to http://trace and check the status of your ticket.
Submit a Trace Ticket for a Subject—Field Details
Field Details
Environment The environment is Production or QA.
Pool Name The name of the pool for refreshing the cache bean. It is a
mandatory field.
Detail Info The description of the action link to refresh the cache bean.
View Whitelist Policy Details
You can view the details of a whitelist policy, such as the resources and subject groups that are
assigned to it.
To view whitelist policy details:
On the All Policies menu, click the name of the relevant whitelist policy, and view its
details.
You can also click View on the menu in the Actions column for a policy to view the
policy details.
111
View Whitelist Policy Details—Field Details
Field Details
Policy Information
Policy Name The name of the whitelist policy.
Policy Description The description of the whitelist policy.
The Policy Status field displays the status of the policy (enabled or
Policy Status
disabled).
Resources
Click Assign another Resource to assign more resources to the whitelist policy.
Click Delete all to delete all existing resources that are assigned to the whitelist policy.
The resource type that is assigned to the policy that you are
searching.
Resource Type
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Resource section.
The operations that are assigned to the whitelist policy. Click See
Operations
All to view the list of all assigned operations.
Click Edit to modify the existing resource that is assigned to the
whitelist policy.
Actions
Click Delete to delete the existing resource that is assigned to the
whitelist policy.
112
Field Details
Assigned Subjects/Subject Groups
Click Assign more subjects/subject groups to assign more subjects and subject groups to
the whitelist policy.
Click Delete all to delete all the existing subjects and subject groups that are assigned to
the whitelist policy.
The type of the subjects and/or subject groups assigned to the
Subject Type
whitelist policy.
The subjects assigned to the whitelist policy. Click See All to view
Subjects
the list of all subjects that are assigned to the whitelist policy.
The subject groups that are assigned to the whitelist policy. Click
Subject Groups See All to view the list of all subject groups that are assigned to the
whitelist policy.
Click Edit to modify the existing subjects and/or subject groups that
are assigned to the whitelist policy.
Actions
Click Delete to delete the existing subjects and subject groups that
are assigned to the whitelist policy.
Modify Whitelist Policy Details
You can modify the details of a whitelist policy. You can also modify the resources, subjects,
and subject groups that are assigned to the whitelist policy.
To modify a whitelist policy:
1. On the All Policies—Summary page, click the name of the relevant whitelist policy, and
modify the details as required.
2. Click Save.
Modify Whitelist Policy Information
You can modify the name and description of a whitelist policy.
To modify whitelist policy information:
113
1. On the Whitelist Policy—View/Edit page, click Edit in the Policy Information
section.
2. On the Edit Policy Information pop-up window, modify the policy information as
required, and click Add Changes.
3. On the Whitelist Policy—View/Edit page, click Save.
Modify Whitelist Policy Information—Field Details
Field Details
The name of the policy. You can type a maximum of 128 characters
Policy Name
including a-z, A-Z, 0-9, period (.), underscore (_), and hyphen (-).
The description of the policy. You can type a maximum of 256
Policy Description
characters.
Modify Assigned Resources
You can modify the resources that are assigned to a whitelist policy.
To modify assigned resources:
1. On the Whitelist Policy—View/Edit page, click Edit in the Resources section.
2. On the Edit Resource for Policy pop-up window, modify the assigned
resource as required, and click Add Changes.
3. On the Whitelist Policy—View/Edit page, click Save.
Modify Assigned Resources—Field Details
Field Details
The level at which you want to modify resources. The available
options are:
Operation Level
Level
Service Level
Global Level
Level—Operation Level
114
Field Details
These fields appear when you click Operation Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the whitelist policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type searching.
You can filter policies under the following resources types:
115
Field Details
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the whitelist policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Modify Assigned Subjects or Subject Groups
You can modify the subjects and/or subject groups that are assigned to a whitelist policy.
To modify assigned subjects or subject groups:
1. On the Whitelist Policy—View/Edit page, click Edit corresponding to the relevant
subject type in the Assigned Subjects/Subject Groups section.
2. On the Edit Subjects/Subject Groups for Policy pop-up window, modify
the subjects or subject groups as required, and click Add Changes.
3. On the Whitelist Policy—View/Edit page, click Save.
Modify Assigned Subjects or Subject Groups—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the whitelist policy.
116
Field Details
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to
Selected Subjects.
The subjects that you want to assign to the whitelist policy. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
Type the IP or PROXY address that you want to assign to the
whitelist policy and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
whitelist policy. You have to assign at least one IP or PROXY
address, as applicable, to the whitelist policy. Click Delete to
Added List remove the selected IP or PROXY address from the whitelist policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of all subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
117
Field Details
The list of subject groups that you want to assign to the whitelist
Selected Subject Groups policy. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
Assign More Resources
You can assign more resources to a whitelist policy.
To assign more resources to a whitelist policy:
1. On the Whitelist Policy—View/Edit page, click Assign another Resource in the
Resources section.
2. On the Add Resource to Policy pop-up window, add the relevant
resource as required, and click Add Changes.
3. On the Whitelist Policy—View/Edit page, click Save.
Assign More Resources—Field Details
Field Details
The level at which you want to assign resources. The available
options are:
Operation Level
Level
Service Level
Global Level
Level—Operation Level
These fields appear when you click Operation Level in the Level list.
The resource type that is assigned to the policy that you are
Resource Type searching.
You can filter policies under the following resources types:
118
Field Details
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
window.
The list of all operations corresponding to the selected service.
List of all Operations Select an operation and click to move it to Selected
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
The operations that you want to assign to the whitelist policy.
Selected Operations Select an operation and click to move it to List of all
Operations. You can select more than one operation by pressing
CTRL and clicking the relevant operations.
Level—Service Level
These fields appear when you click Service Level in the Level list.
The resource type that is assigned to the policy that you are
searching.
Resource Type
You can filter policies under the following resources types:
Web (Web application)
Service (Web service)
The name of the resource that is assigned to the policy that you are
searching.
Resource
To distinguish among the service names under different domains:
Click Click here for details in the Edit Resource pop-up
119
Field Details
window.
Assign More Subjects or Subject Groups
You can assign more subjects and/or subject groups to a whitelist policy.
To assign more subjects or subject groups to a whitelist policy:
1. On the Whitelist Policy—View/Edit page, click Assign more subjects/subject groups in
the Assigned Subjects/Subject Groups section.
2. On the Add Subjects/Subject Groups to Policy pop-up window, modify
the subject or subject groups as required, and click Add Changes.
3. On the Whitelist Policy—View/Edit page, click Save.
Assign More Subjects or Subject Groups—Field Details
Field Details
The type of subjects and/or subject groups that you want to assign
Subject Type
to the whitelist policy.
Assign Subjects
Type the name of a subject and click Search. Partial search is
Box adjacent to Search supported. The subjects that match the search criteria appear in
List of all Subjects.
The subjects that match the search criteria. Select the required
List of all Subjects subject from the list of subjects and click to move it to Selected
Subjects.
The subjects that you want to assign to the whitelist policy. Select a
Selected Subjects subject and click to move it to List of all Subjects. You can
select more than one subject by pressing CTRL and clicking the
relevant subjects.
120
Field Details
Type the IP or PROXY address that you want to assign to the
whitelist policy and click Add. The IP or PROXY address appears in
Added List.
Box adjacent to Add
This box is available only when you click IP or PROXY in
Subject Type.
The list of IP or PROXY addresses that you want to assign to the
whitelist policy. You have to assign at least one IP or PROXY
address, as applicable, to the whitelist policy. Click Delete to
Added List remove the selected IP or PROXY address from the whitelist policy.
This box is available only when you click IP or PROXY in
Subject Type.
Assign Subject Groups
The list of subject groups of the selected subject type. Select a
List of all Subject Groups subject group and click to move it to Selected Subject Groups.
You can select more than one subject group by pressing CTRL and
clicking the relevant subject groups.
The list of subject groups that you want to assign to the whitelist
Selected Subject Groups policy. Select a subject group and click to move it to List of all
Subject Groups. You can select more than one subject group by
pressing CTRL and clicking the relevant subject groups.
121
Chapter 9: Deploying and Promoting Policies
The SOA Policy Administration tool keeps track of all changes made to the subjects, subject
groups, and policies. You can view the changes made by Admin Users between specific dates.
The tool provides filtering options for viewing specific types of changes. Please note that
searching for changes for a specific policy name or a subject⁄subject group value is not
supported in this release. It will be considered in a future release.
This feature is available to the Admin User and the Guest User.
To view the change history:
o Go to the Change History—View page to view the history of changes.
122
View Change History—Field Details
123
Chapter 10: Seeding Resources
You cannot create services and operations within the SOA Policy Administration tool. Services
and operations have to be seeded by the SOA team. This is to ensure governance of the
integrity of services and their operations in the Staging and Production environments that the
tool currently supports.
If you need to seed your service and⁄or operations, please contact DL-ebay-SOAPolicyTeam
with the following details:
1. Your name
2. Your manager's name
3. Service name
4. Operation name(s)
5. Environment (Staging or Production)
A member from the SOA team will contact you if more details are needed, and with a
confirmation when your request has been processed.
124
Chapter 11: Deploying and Promoting Policies
The SOA Policy Administration tool offers two environments where you can deploy policies—
Staging and Production.
You have to create a policy in the environment in which you want to deploy the policy. In other
words, the tool does not support migration or promotion of policies from one environment to
another. Contact DL-ebay-SOAPolicyTeam if you have any questions or need more details.
Recommended usage of the environments is as follows:
o Staging: Test policy in preproduction
o Production: Implement the policy for live services in production
125
Chapter 12: Configuring Service at Run Time for
Policies
Enforcing a policy at run time involves configuring the corresponding service into the SOA
pipeline.
Authorization Policy
To enforce the Authorization Policy at run time, you have to configure the SOA Authorization
Service into the SOA pipeline.
Refer to the following link for further details:
https://wiki2.arch.ebay.com/confluence/display/SOADOC/3.2+Authorization+Service
Rate Limiting Policy
To enforce the Rate Limiting Policy at run time, you have to configure the SOA Rate Limiter
Service into the SOA pipeline.
Refer to the following link for further details:
https://wiki2.arch.ebay.com/confluence/display/SOADOC/3.6+RateLimiting+Service
Blacklist Policy
To enforce the Blacklist Policy at run time, you have to configure the SOA Blacklist Service and
SOA Rate Limiter Service into the SOA pipeline.
Refer to the following link for further details:
https://wiki2.arch.ebay.com/confluence/display/SOADOC/5+Blacklist+Service
Whitelist Policy
To enforce the Whitelist Policy at run time, you have to configure the SOA Whitelist Service and
SOA Rate Limiter Service into the SOA pipeline.
Refer to the following link for further details:
https://wiki2.arch.ebay.com/confluence/display/SOADOC/4+Whitelist+Service
126
Chapter 13: FAQs and Troubleshooting
The following is a list of frequently asked questions (FAQs) about the SOA Policy Administration
tool.
1. What is the SOA Policy Administration tool for? What is the best way for me to get an
overview of the tool?
Please read the Concepts and Overview chapter. It provides a short overview of the tool.
2. Where can I get some examples of policies?
Please read the Concepts and Overview chapter. It will provide you with policy concepts,
definitions, and examples.
3. How can I get training on using the tool?
Please send an e-mail to DL-ebay-SOAPolicyTeam with a request for training.
4. When I log on, I seem to be getting only a read-only view. How can I get access to
create and edit operations?
Users other than Admin Users can access all pages in read-only mode. To get Admin
User rights, please send an e-mail to DL-ebay-SOAPolicyTeam.
5. Before I create or enable my policy, do I have to ensure that my service has the run-
time SOA handlers configured?
Yes, you need to do ensure your service has the correct handlers configured for the
service before you enable your policy, else the policy will not be evaluated. Please read
the chapter Configuring Service at Run Time for Policies for more details.
6. My service is not showing up in the services drop-down. Why is that? How can I get
my service to show up in the drop-down?
Please read the chapter Seeding Resources for an explanation on how you can seed your
service in the tool.
7. How can I submit feedback on the tool? I have some requirements for the SOA team.
Please click the Submit Feedback link in the header of the tool, or you can send an e-
mail to DL-ebay-SOAPolicyTeam. The Product Manager of SOA Platform will contact you
for further details.
127
8. What is the change in functionality when a user other than the Admin User logs on to
the tool?
Users other than the Admin User can access all pages in read-only mode. In other
words, the users will be able to view the existing pages in the tool but will not be able to
perform any actions on the subject groups and policies.
9. Are the fields available in the Search Options section dependent on the user role?
No. The fields available in Search Options are the same for all users.
10. What is the significance of the Global Level option in Blacklist and Whitelist policies?
The Global Level for a whitelist policy implies that all the subjects⁄subject groups
assigned to the policy CAN access all the services and the operations under the services.
The Global Level for a backlist policy implies that all the subjects⁄subject groups
assigned to the policy CANNOT access any of the services and the operations under the
services.
11. What is the relevance of the Effect Duration field in the Rate Limiting Policy?
Effect Duration is the duration for which the trigger remains in the cache (thus the
effect is returned to the application server when it makes a query to the rate limiting
policy) after the RL rule is violated.
12. What is the relevance of the Rollover Period field in the Rate Limiting Policy?
Rollover Period is the duration of time during which the rate limiting policy backend
server will keep accumulating counts for subjects accessing services⁄operations. When
the period is up, the data store is reset and the counting starts afresh.
13. What is the relevance of Effect field in the Rate Limiting Policy?
Effect is returned to the application server by the rate limiting policy frontend server
from one of the triggered rules in the cache. The corresponding rule's name is also
returned in the same response. Effect may have the values "BLOCK," "CHALLENGE," or
"FLAG" in decreasing order of severity.
14. Are the Apply All and Apply To Each options available for all policies?
The Apply All and Apply To Each options are available only for the Rate Limiting policy.
These options are not available for the other policies.
128
15. What is the relevance of the Apply All and Apply To Each options in the Rate Limiting
Policy?
Rate Limiting supports subject grouping. A rule may apply to individual subjects
(implied) and subject groups (Apply All). It may alternatively apply to each member
subject of a subject group (Apply Each). In the latter case, both the subject and the
subject groups to which the particular subject belongs are provided for rule evaluation.
16. How does the Calculated Subject Group option work?
o The Calculated Subject Group option on the Create page coexists with Assigned
Group. Therefore, when you click on the Create button, only the option that you
select will be stored in the database.
o On the View⁄Edit page, a confirmation message will appear to verify that you
want to switch from an Assigned Group to Calculated Group and vice versa,
since the subject group is already created (unlike for the Create page). Both the
options coexist in the page as long as you do not submit the page. After you
submit the page and confirm your choice, the relevant option is stored in the
database.
129