InformationWeek

With Conclave 3.0, you can policy-enable your enterprise instead of managing separate access-control lists and user databases for each application. By doing so, you eliminate a significant amount of the time and cost associated with administering user accounts, permissions, and resources.

There are three steps involved in implementing a policy. The first is to create user objects, called user groups, that identify who will be accessing application resources. These resources are defined in the process of creating information sets. This second step specifies what resources will be accessed by user groups. In the last step, the user groups are integrated with appropriate information sets to create a policy.

I tested a late beta version of Internet Dynamics' Conclave Policy Server 3.0 and set about creating a policy with the program.

The user groups are populated in a hierarchical tree structure that implies inheritance down the branches. For example, when I created a user group called Finance Department under the Department branch, all the permissions and settings that I set for Department were automatically applied to all subbranches, including Finance Department.

Creation of user groups is a two-step process: First you determine where you want to place your user group in the hierarchy, then you decide how it will be authenticated. Authentication options include an X.509 certificate, Microsoft Windows ID, authentication token, Lightweight Directory Access Protocol directory, Radius (Remote Authentication Dial-In User Service) identity, and Internet Key Exchange shared secret. Authentication isn't necessarily inherited if it's not defined in the hierarchy.

I tried a combination of authentication techniques. I was able to create a user group by department and used my Windows NT domain for authentication. I also created a user group that let me access certain pages on my Microsoft Internet Information Server (IIS) Web server, depending on their IP addresses.

I then set up a group that allowed access to some Web pages on my IIS server using LDAP directory authentication. The LDAP directory was in a remote location, and I had to bind it to the Conclave Policy Server, which was quick and painless. After setting up and authenticating several user groups, all I had to do was drag and drop them into the hierarchical tree.

After setting up Conclave user groups, I moved on to information sets, which are collections of similar individual application resources. And because information sets have a hierarchical tree structure similar to that of user groups, you can nest information sets for a finer level of organization.

I made use of an optional Conclave Policy Plug-In for my IIS and then policy-enabled several Web pages in various locations. Using different information sets, I was able to define all the Web pages and their image files in every location. I had to make sure that I included all the Web site's resources and that images and linking pages were defined properly. Conclave Policy Server won't let users access any file that's not properly defined and to which access is not given. For example, if a user group doesn't have access to information sets that include images of the allowed Web pages, then the images won't show up. The same rule applies to the external links. After defining information sets, I had to drag and drop the application resources I had defined to the relative information set.

After I created user groups and information sets, it was easy to set up policies. All I had to do was drag a specific user group to the information set I had created earlier. There's also a spreadsheet that delineates all the policies I had defined; it's color-coded, so I could scan it quickly and see which resources had been allocated to whom.

The Conclave Policy Server comes with a SQL-based system development kit called the Virtual Database, which is equivalent to a C-style system development kit. Using the Virtual Database, I was able to integrate any application that uses a SQL interface with the Conclave Policy Server. The database includes an emulator of SQL Server 4.2 and Oracle. It also has the ability to generate text-based SQL queries by using raw SQL sockets. This feature is helpful if your application doesn't support Microsoft or Oracle SQL standards. The Virtual Database generates SQL syntax and publishes schemas by letting all authentication, access-control code, and data be replaced within a single policy query.

Conclave Policy Server creates a user profile by collecting attributes during authentication. The time-based identity is called the Dossier. I was able to add several queries to the LDAP to build a profile. The Dossier is a helpful feature that lets you customize your user's profile for authentication.

Conclave comes with a log viewer and logs all kinds of activities of the policy server. However, it's missing in-depth analysis. When one of my clients was denied access to my IIS Web server, I wasn't able to figure out exactly why. Conclave assured me that its shipment release would have improved logging capabilities, including the logging of the Virtual Database. -Asad Irshad for Network Computing