About the C Library For Policy

Access Manager provides C APIs to allow external applications to determine access privileges and manage policies. Access Manager also provides a library of policy evaluation APIs to enable integration of the policy functionality into for C applications.

The C library provides a comprehensive set of interfaces that query policy results of an authenticated user for a given action on a given resource. The result of the policy evaluation is called an action value and may not always be binary (allow/deny or yes/no). Action values can also be non-boolean. For example, John Smith has a mailbox quota of 100MB. The value 100 is defined by a policy. As policy evaluation results in string values only, the policy evaluation returned is 100 numeric and not 100MB. It is up to the application developer to define metrics for the values obtained appropriately.

The policy management system is generic and makes no assumptions about any particular policy definition requirement.

Policy Implementation

As the first step of policy implementation, the API abstracts how a resource is represented by mandating that any resource be represented in a string format. For example, on a web server, resources may be represented as URLs. The policy evaluation engine cares only about the relative relevance of one resource to other. Five relative relevances are defined between two resources:

• exact match

• no match

• subordinate match

• superior match

• exact pattern match

Having represented the resources in string format, the service developer must provide interfaces that establish the relevant relationship between resources.

Exact pattern match is a special case where resources may be represented collectively as patterns. The information is abstracted from the policy service and the comparison operation must take a boolean parameter to trigger a pattern matched comparison. During the caching of policy information, the policy engine does not care about patterns, whereas during policy evaluation, the comparisons are pattern sensitive.

The service developer must also provide a method to extract the root of the given resource. For example, in a URL, the protocol:// AcceessManager-HostName.domain_name:port portion represents the root. The three functions (has_patterns , get_resource_root and compare_urls) are specializations of resource representations. The set of characteristics needed to define a resource is called a resource trait. Resource traits are taken as a parameter during service initialization in the am_resource_traits_t structure. Using the resource traits, the policy service constructs a resource graph for policy evaluation. In a web server policy sense, the relation between all the resources in the system spans out like a tree with the following being part of the root tree:

protocol:// AcceessManager-HostName.domain_name : port/

Policy Evaluation

Two opaque data structures are defined: am_map_t and am_properties_t. am_map_t provides a key to multiple value mapping and am_properties_t provides a key to single value mapping. am_properties_t provides the additional functionality of loading a configuration file and getting values of specific data types. These are simple data structures that are only used for information exchange to and from the policy evaluation interfaces.