Referral Policy

A Realm Administrator or Policy Administrator at the root or top level of the Access Manager information tree can create policy for any resource. A referral policy enables a Realm Administrator or a Policy Administrator to delegate policy configuration tasks. A referral policy delegates both policy creation and policy evaluation, and consists of one or more rules and one or more referrals.

• A rule defines the resource whose policy creation or evaluation is being referred.

• A referral defines the identity object to which the policy creation or evaluation is being referred.

Referral policies delegate policy management privileges to another entity such as a peer realm, a subrealm, or even a third-party product. (You can implement custom referrals by using the Policy APIs.) For example, a top-level realm exists named ISP. It contains two subrealms: company1 and company2. The Top-Level Administrator for ISP can delegate policy management privileges so that a Realm Administrator in company1 can create and manage policies only within thecompany1 realm, and a Realm Administrator in company2 can create and manage policies only within the company2 realm. To do this, the Top-Level Administrator creates two referral policies, defining the appropriate realm in the rule and the appropriate administrator in the referral.

An administrator or Policy Administrator for realms configured below the root level of the Access Manager information tree have permission to create policies only for resources delegated to that realm.