Chapter 4 Authorization and the Policy Service

The Sun Java System Access Manager Policy Service determines if a user has been given permission by a recognized authority to access a protected resource. The process is referred to as user authorization. This chapter describes how the various parts of the Policy Service work together to perform authorization. Topics covered include:

• Authorization Overview

• Access Control and Realms

• Policy Types

• Policy Framework

• Policy SPIs and Plug-Ins Layer

• Policy Client APIs

Authorization Overview

A policy is a rule that defines who is authorized to access a resource. A single policy can define either binary or non-binary decisions. A binary decision is yes/no, true/false or allow/ deny. A non-binary decision represents the value of an attribute. For example, a mail service might include a mailboxQuota attribute with a maximum storage value set for each user. In general, a policy is configured to define what a subject can do to which resource and under what conditions.

The Access Manager Policy Service allows administrators to define, modify, and delete policies for protected resources within the Access Manager deployment. Configured policies are grouped into realms and stored in the Access Manager information tree. The Policy Service relies on the following:

• A Policy Enforcement Point (PEP) protects an enterprise's resources by enforcing access control. The policy agent is the PEP.

• A Policy Decision Point (PDP) is where the policy is evaluated and a determination is made. The Policy Service is the PDP.

• A data store in which configured policies are stored and from which they are retrieved. The proprietary Access Manager information tree is the data store.

The Access Manager Policy Service uses configured policies to determine if a user has been given permission by a recognized authority to access a protected resource. When a user attempts to access a resource protected by a PEP, the PEP contacts the PDP to get a policy decision. The Policy Service evaluates the policies that protect the resource and are applicable to the requesting user. This results in a policy decision indicating whether the user is allowed to access the resource. Upon receiving the decision, the PEP allows or denies access accordingly. This whole process is referred to as authorization.

Access Control and Realms

When a user logs into an application, Access Manager plug-ins retrieve all user information, authentication properties, and authorization policies that the Access Manager framework needs to form a temporary, virtual user identity. The Authentication Service and the Policy Service use this virtual user identity to authenticate the user and enforce the authorization policies, respectively. All user information, authentication properties, and authorization policies is contained in realms. You can create a realm when you want to apply policies to a group of related subjects, services or servers. For example, you can create a realm that groups all servers and services that are accessed regularly by employees in one region. And, within that regional grouping realm, you can group all servers and services accessed regularly by employees in a specific division such as Human Resources. A configured policy might state that all Human Resources administrators can access the URL http://HR.example.com/HRadmins/index.html.. You might also add constraints to this policy: it is applicable only Monday through Friday from 9:00 a.m. through 5:00 p.m. Realms facilitate the delegation of policy management privileges.

---

Note –

Access control realms can be configured to use any user database.

---

Policy Types

The Policy Service authorizes access to a user based on the policies stored in the Access Manager information tree. The following sections contain information on the two types of policies you can create using Access Manager:

• Normal Policy

• Referral Policy

Normal Policy

A normal policy specifies a protected resource and who is allowed to access the resource. The protected resource can be anything hosted on a protected server. Examples of protected resources are applications, document files, images, or the server itself. Only a Top-Level Realm or Policy Administrator can create or manage polices that apply to a resource. A normal policy consists of rules, subjects, conditions, and response providers. The following sections contain information regarding these elements.

• Rules

• Subjects

• Conditions

• Response Providers

Rules

A rule defines the policy itself by specifying a resource, one or more sets of an action, and values for each action.

• A resource defines the specific object that is being protected. Examples of protected objects are an HTML page on a web site, or a user’s salary information accessed using a human resources service.

• An action is the name of an operation that can be performed on the resource. Examples of web page actions are POST and GET. An allowable action for a human resources service might be canChangeHomeTelephone.

• A value defines the permission for the action. Examples are allow anddeny.

Subjects

A subject specifies, by implication, the user or collection of users that the policy affects.

You can implement custom subjects by using the Policy APIs. You can assign the following subjects to policies:

Access Manger Roles

The roles you create and manage under the Realms Subject tab can be added as a value of the subject.

Access Manager Identity

The identities you create and manage under the Realms Subject tab can be added as a value of the subject.

Authenticated Users

Any user with a valid SSOToken is a member of this subject. All authenticated users would be member of this Subject, even if they have authenticated to a realm that is different from the realm in which the policy is defined.

LDAP Groups

Any member of an LDAP group can be added as a value of this subject.

LDAP Roles

Any LDAP role can be added as a value of this subject. An LDAP Role is any role definition that uses the Sun Java System Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.

LDAP Users

Any LDAP user can be added as a value of this subject.

Organization

Any realm can be added as a value of this subject

Web Services Clients

Valid values are the DNs of trusted certificates in the local JKS keystore, which corresponds to the certificates of trusted web service clients (WSCs). A WSC identified by the SSOToken is a member of this subject, if the DN of any principal contained in the SSOToken matches any selected value of this subject. This subject has dependency on the Access Manager implementation of the Liberty Alliance Project Identity Web Services Framework and should be used only by web service providers to authorize WSCs.

Conditions

A condition specifies additional constraints that must be satisfied for a policy be applicable. For example, you can define a condition to limit a user’s network access to a specific time period. The condition might state that the subject can access the network only between 7:00 in the morning and 10:00 at night.

You can implement custom conditions by using the Policy APIs. Access Manager provides the following conditions:

Active Session Time

Sets a condition based on constraints configured for user session time such as maximum session time.

Authentication Chain

The policy is applicable if the user has successfully authenticated to the authentication chain in the specified realm. If the realm is not specified, authentication to any realm at the authentication chain will satisfy the condition.

Authentication Level

The Authentication Level attribute indicates the level of trust for authentication. The policy is applicable if the user's authentication level is greater than or equal to the Authentication Level set in the condition, or if the user's authentication level is less than or equal to the Authentication Level set in the condition, depending on the configuration.

Authentication Module Instance

The policy applies if the user has successfully authenticated to the authentication module in the specified realm. If the realm is not specified, authentication to any realm at the authentication module will satisfy the condition.

IP Address/DNS Names

Sets a condition based on a range of IP Addresses, or a DNS name.

Current Session Properties

Decides whether a policy is applicable to the request based on values set in the user's Access Manager session.

LDAP Filter Condition

The policy is applicable when the defined LDAP filter locates the user entry in the LDAP directory that was specified in the Policy Configuration service.

Realm Authentication

The policy applies if the user has authenticated to the specified realm.

Time

Sets the condition based on time constraints (time, day, date, time zone).

Response Providers

Response providers are plug-ins that provide policy response attributes. Policy response attributes typically provide values for attributes in the user profile. The attributes are sent with policy decisions to the PEP which, in turn, passes them in headers to an application. The application typically uses these attributes for customizing pages such as a portal page. Access Manager includes one implementation, the IDResponseProvider. You can implement custom response providers by using the Policy APIs.

Referral Policy

A Realm Administrator or Policy Administrator at the root or top level of the Access Manager information tree can create policy for any resource. A referral policy enables a Realm Administrator or a Policy Administrator to delegate policy configuration tasks. A referral policy delegates both policy creation and policy evaluation, and consists of one or more rules and one or more referrals.

• A rule defines the resource whose policy creation or evaluation is being referred.

• A referral defines the identity object to which the policy creation or evaluation is being referred.

Referral policies delegate policy management privileges to another entity such as a peer realm, a subrealm, or even a third-party product. (You can implement custom referrals by using the Policy APIs.) For example, a top-level realm exists named ISP. It contains two subrealms: company1 and company2. The Top-Level Administrator for ISP can delegate policy management privileges so that a Realm Administrator in company1 can create and manage policies only within thecompany1 realm, and a Realm Administrator in company2 can create and manage policies only within the company2 realm. To do this, the Top-Level Administrator creates two referral policies, defining the appropriate realm in the rule and the appropriate administrator in the referral.

---

Note –

An administrator or Policy Administrator for realms configured below the root level of the Access Manager information tree have permission to create policies only for resources delegated to that realm.

---

Policy Framework

The Policy framework in Access Manager are the services where policy management and administration are implemented. The Policy framework includes the following:

• Policy Service

• Policy Configuration Service

Policy Service

The Policy Service is defined using the amPolicy.xml. It performs the following functions:

• Provides a means for defining and managing access policies.

• Provides a means for defining custom policy plug-ins by providing names and class locations.

• Evaluates access policies.

• Acts as a PDP to deliver the result of a policy evaluation.

In order to configure for custom policy plug-ins, modify amPolicy.xml and use amadmin to reload it. See Developing Custom Subjects, Conditions, Referrals, and Response Providers in Sun Java System Access Manager 7.1 Developer’s Guide.

Policy Configuration Service

The Policy Configuration Service provides a means to specify how policies are defined and evaluated. The Policy Configuration Service enables you to specify, for example:

• Which directory to use for subject lookup

• The directory password

• Which search filters to use

• Which subjects, conditions, and response providers to use

This configuration can be done within a realm or a subrealm and is accessible through the Access Manager console.

Policy SPIs and Plug-Ins Layer

Access Manager includes SPIs that work with the Policy framework to create and manage policies. You can develop customized plug-ins for creating custom policy subjects, referrals, conditions, and response providers. For information on creating custom policy plug-ins, see the Sun Java System Access Manager 7.1 Developer’s Guide.

The following table summarizes the Policy service provider interfaces (SPIs), and lists the specialized Policy plug-ins that come bundled with Access Manager.

Table 4–1 Policy Service Provider Interfaces

Interface	Description
Subject	Defines a set of authenticated users for whom the policy applies. The following Subject plug-ins come bundled with Access Manager: Access Manager Identity Subject, Access Manager Roles, Authenticated Users, LDAP Groups, LDAP Roles, LDAP Users, Organization Web, and Services Clients.
Referral	Delegates management of policy definitions to another access control realm.
Condition	Specifies applicability of policy based on conditions such as IP address, time of day, authentication level. The following Condition plug-ins come bundled with Access Manager: Authentication Level, Authentication Scheme, IP Address, LE Authentication Level, Session, SessionProperty, and Time.
Resource Name	Allows a pluggable resource.
Response Provider	Gets attributes that are sent along with policy decision to the policy agent, and used by the policy agent to customize the client applications. Custom implementations of this interface are now supported in Access Manager 7.1.

Policy Client APIs

Access Manager provides client APIs that implement policy evaluation logic on a remote web server or application server. For policy client API information, see the Sun Java System Access Manager 7.1 Developer’s Guide.