Before processing a request, the Liberty Personal Profile Service verifies the authorization of the WSC making the request. There are two levels of authorization verification:
Is the requesting entity authorized to access the requested resource profile information?
Is the requested resource published to the requestor?
Authorization occurs through a plug-in to the Liberty Personal Profile Service, an implementation of the com.sun.identity.liberty.ws.interfaces.Authorizer interface. Although a new implementation can be developed, Access Manager provides the default class, com.sun.identity.liberty.ws.idpp.plugin.IDPPAuthorizer. This plug-in defines four policy action values for the query and modify operations:
Allow
Deny
Interact For Consent
Interact For Value
The resource values for the rules are similar to x-path expressions defined by the Liberty Personal Profile Service. For example, a rule can be defined like this:
/PP/CommonName/AnalyzedName/FN Query Interact for consent /PP/CommonName/* Modify Interact for value /PP/InformalName Query Deny |
Authorization can be turned off by deselecting one or both of the following attributes, which are also defined in the Liberty Personal Profile Service: