A referral policy enables a Realm Administrator or a Policy Administrator to delegate policy configuration tasks. A Realm Administrator or Policy Administrator at the root or top level of the Access Manager information tree can create policy for any resource. An administrator or Policy Administrator for realms below the top level have permissions to create policies for only resources delegated to the realm. The Realm Administrator or Policy Administrator can use referral policies to delegate policy management privileges for a collection of resources to other realms.
You can implement custom referrals by using the Policy APIs. Access Manager provides the following referrals:
Administrator can delegate policy management privileges to a peer realm.
Administrator can delegate policy management privileges to a subrealm.
A referral policy delegates both policy creation and policy evaluation. A referral policy consists of one or more rules and one or more referrals.
A rule defines the resource whose policy creation or evaluation is being referred.
A referral defines the identity object to which the policy creation or evaluation is being referred.
For example, a top-level realm exists named ISP. It contains two subrealms named company1 and company2. The Top-Level Administrator for ISP wants to delegate policy management privileges so that a Realm Administrator in company1 can create and manage policies only within the company1 realm, and a Realm Administrator in company2 can create and manage policies only within the company 2 real. The Top-Level Administrator creates two referral policies:
Referral Policy 1
Resource Name: http://company1.com
Subrealm Referral Value: company1
Referral Policy 2
Resource Name: http://company2.com
Subrealm Referral Value : company2