Access Control Realms

You create an access control realm when you want to apply policies to a group of related services or servers. An Access Manager realm is a group of authentication and authorization properties that you can associate with a user or group of users, or a collection of protected resources. For example, you can create a realm that groups all servers and services that are accessed regularly by your employees in one region. Within that regional grouping or realm, you can group all servers and services accessed regularly by employees in a specific division such as Human Resources. For example, a policy might state that all Human Resources administrators can access the URL http://HR.example.com/HRadmins/index.html. You might add constraints to this policy. For example: The policy is applicable only Monday through Friday from 9:00 a.m. through 5:00 p.m.

Realm data is stored in an Access Manager information tree. Realms facilitate the delegation of policy management privileges within a realm hierarchy.

Figure 4–1 Access Manager Information Tree

Access Manager Information Tree

Access Manager creates a special and proprietary branch in a data store such as an LDAP directory for storing realm configurations, authentication properties, and authorization policies. This directory can be different from the directory hosting the Access Manager Identity Repository. Together the realms form the Access Manager information tree. The Access Manager information tree is separate from the user branch in the Identity Repository.

Figure 4–2 Access Manager Information Tree Within an Identity Repository

Access Manager components and plug-ins access the data stored in the Access Manager information tree, and use data for various purposes. The following are some examples:

• Policy runtime accesses policy data for policy evaluation.

• Identity Repository plug-in finds configuration information for data stores.

• Authentication Service finds authentication configuration information.