Sun Java System Access Manager 7 2005Q4 Technical Overview

Chapter 4 Authorization and the Policy Service

Access Manager Policy Service determines if a user has been given permission by a recognized authority to access a protected resource. This process is known as user authorization. This chapter describes how the various parts of the Policy Service work together to perform authorization. Topics covered in this chapter include:

Policy Framework

The policy framework in Access Manager is where policy management logic and evaluation logic are implemented. The framework consists of a general Policy Service and the Policy Configuration Service.

The general Policy Service performs three main functions:

Applications host resources. In Access Manager, applications are protected by policy enforcement points (PEP) such as J2EE or web policy agents to enforce access control. Access control is based on the policy decision provided by policy evaluation at the PDP which is the Policy Service.

A policy is a rule that describes who is authorized to access a resource. Policies are grouped into access control realms which together form the Access Manager information tree.

When a user attempts to access a resource protected by a PEP, the PEP talks to the PDP to get a policy decision. At the PDP, which is Access Manager, Policy Service determines and evaluates policies that protect the resource and are applicable to the user. This results in a policy decision indicating whether the user is allowed to access the resource. Upon receiving the decision, the PEP allows or denies access appropriately. This whole process is called authorization.

The general Policy Service enables an administrator to configure custom policy plug-ins by providing names and class location of the custom plug-ins. The Policy Configuration Service provides a means to specify how policies will be defined and evaluated within a realm or subrealm. The Policy Configuration services enables you to specify: which directory to use for subject lookup; which search filters to use; which subjects, conditions, and response providers to use.

Access Control Realms

You create an access control realm when you want to apply policies to a group of related services or servers. An Access Manager realm is a group of authentication and authorization properties that you can associate with a user or group of users, or a collection of protected resources. For example, you can create a realm that groups all servers and services that are accessed regularly by your employees in one region. Within that regional grouping or realm, you can group all servers and services accessed regularly by employees in a specific division such as Human Resources. For example, a policy might state that all Human Resources administrators can access the URL You might add constraints to this policy. For example: The policy is applicable only Monday through Friday from 9:00 a.m. through 5:00 p.m.

Realm data is stored in an Access Manager information tree. Realms facilitate the delegation of policy management privileges within a realm hierarchy.

Figure 4–1 Access Manager Information Tree

This example illustrates how access information can be grouped
by region and by company functions.

Access Manager Information Tree

Access Manager creates a special and proprietary branch in a data store such as an LDAP directory for storing realm configurations, authentication properties, and authorization policies. This directory can be different from the directory hosting the Access Manager Identity Repository. Together the realms form the Access Manager information tree. The Access Manager information tree is separate from the user branch in the Identity Repository.

Figure 4–2 Access Manager Information Tree Within an Identity Repository

This figure compares a directory information tree (DIT) with
a DIT that includes the Access Manager information tree.

Access Manager components and plug-ins access the data stored in the Access Manager information tree, and use data for various purposes. The following are some examples:

About Authorization Policies

The Policy Service authorizes a user based on the policies stored in the access control information tree. You can create two types of Access Manager policies: normal policies and referral policies. Create a normal policy when you want to define access privileges for a resource. Create a referral policy when you want to delegate policy creation to another entity such as a peer realm, a subrealm, or a third-party product.

Normal Policy

A normal policy specifies a protected resource and also specifies who is allowed to access the resource. The protected resource can be anything hosted by a protected server. Examples of protected resources are applications, content such as document files, or the server itself. Only a Top-Level Realm or Policy Administrator can create or manage polices that apply to any resource.

A normal policy consists of rules, subjects, conditions, and response providers.

Policy Rules

A rule defines a policy by specifying a resource, one or more sets of an action, and values for each action.

Policy Subjects

A subject specifies by implication the user or collection of users that the policy affects. You can implement custom subjects by using Policy APIs. You can assign subjects to policies. Access Manager includes the following subjects:

Access Manger Roles

The roles you create and manage under the Realms Subject tab can be added as a value of the subject.

Access Manager Identity

The identities you create and manage under the Realms Subject tab can be added as a value of the subject.

Authenticated Users

Any user with a valid SSOToken is a member of this subject. All authenticated users would be member of this Subject, even if they have authenticated to a realm that is different from the realm in which the policy is defined. This is useful if the resource owner would like to give access to resources that is managed for users from other realms.

LDAP Groups

Any member of an LDAP group can be added as a value of this subject.

LDAP Roles

Any LDAP role can be added as a value of this subject. An LDAP Role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.

LDAP Users

Any LDAP user can be added as a value of this subject.


Any organization can be added as a value of this subject

Web Services Clients

Valid values are the DNs of trusted certificates in the local JKS keystore, which correspond to the certificates of trusted WSCs. This subject has dependency on the Liberty Web Services Framework and should be used only by Liberty Service Providers to authorize WSCs. A web service client (WSC) identified by the SSOToken is a member of this subject, if the DN of any principal contained in the SSOToken matches any selected value of this subject.

Policy Conditions

A condition specifies additional constraints that must be satisfied for a policy be applicable. For example, you can define a condition to limit a user’s network access to a specific time period. The condition might state that the subject can access the network only between 7:00 in the morning and 10:00 at night. You can implement custom conditions using the Policy APIs. Access Manager provides the following conditions:

Authentication Level

The policy applies if the user's authentication level is greater than or equal to the Authentication level set in the condition. The Authentication Level attribute indicates the level of trust for authentication.

Authentication Scheme

Policy is applicable based on which authentication scheme is specified.

IP Address

Policy is applicable based on a range of IP Addresses.

LE Authentication Level

Policy is applicable if the user's authentication level is less than or equal to the Authentication level set in the condition.


Policy is applicable based on user session data such as Max Session Time.

Session Property

Policy is applicable based on values of properties set in the user's Access Manager session.


Policy is applicable based on time constraints.

Policy Response Providers

Response providers are plug-ins that provide policy-based response attributes. The response provider attributes are sent with policy decisions to the PEP. Access Manager includes one implementation, the IDResponseProvider. Custom response providers are not supported in this version of Access Manager. Agents, PEPs, typically pass these response attributes as headers to applications. Applications typically use these attributes to personalize application pages such as a portal page.

Referral Policy

A referral policy enables a Realm Administrator or a Policy Administrator to delegate policy configuration tasks. A Realm Administrator or Policy Administrator at the root or top level of the Access Manager information tree can create policy for any resource. An administrator or Policy Administrator for realms below the top level have permissions to create policies for only resources delegated to the realm. The Realm Administrator or Policy Administrator can use referral policies to delegate policy management privileges for a collection of resources to other realms.

You can implement custom referrals by using the Policy APIs. Access Manager provides the following referrals:

Peer Realm Referral

Administrator can delegate policy management privileges to a peer realm.

Subrealm Referral

Administrator can delegate policy management privileges to a subrealm.

A referral policy delegates both policy creation and policy evaluation. A referral policy consists of one or more rules and one or more referrals.

For example, a top-level realm exists named ISP. It contains two subrealms named company1 and company2. The Top-Level Administrator for ISP wants to delegate policy management privileges so that a Realm Administrator in company1 can create and manage policies only within the company1 realm, and a Realm Administrator in company2 can create and manage policies only within the company 2 real. The Top-Level Administrator creates two referral policies:

Policy SPIs and Plug-Ins Layer

Access Manager includes SPIs that work with the Policy framework to create and manage policies. You can develop customized plug-ins for creating custom policy subjects, referrals, conditions, and response providers. For information on creating custom policy plug-ins, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.

The following table summarizes the Policy SPIs , and lists the specialized Policy plug-ins that come bundled with Access Manager.

Table 4–1 Policy Service Provider Interfaces (SPIs)




Defines a set of authenticated users for whom policy applies.  

The following Subject plug-ins come bundled with Access Manager: Access Manager Identity Subject, Access Manager Roles, Authenticated Users, LDAP Groups, LDAP Roles, LDAP Users, Organization Web, and Services Clients. 


Delegates management of policy definitions to another access control realm.  


Specifies applicability of policy based on conditions such as IP address, time of day, authentication level.  

The following Condition plug-ins come bundled with Access Manager: Authentication Level, Authentication Scheme, IP Address, LE Authentication Level, Session, SessionProperty, and Time. 

Resource Name 

Allows a pluggable resource. 

Response Provider 

Gets attributes that are sent along with policy decision to the policy agent, and used by the policy agent to customize the client applications. Custom implementations of this interface are not supported in Access Manager 7.0. However, one default interface IDResponseProvider is supported at this time.

Policy Client APIs

Access Manager provides client APIs that implement policy evaluation logic on a remote web server or application server. For policy client API information, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.