Authorization Overview

A policy is a rule that defines who is authorized to access a resource. A single policy can define either binary or non-binary decisions. A binary decision is yes/no, true/false or allow/ deny. A non-binary decision represents the value of an attribute. For example, a mail service might include a mailboxQuota attribute with a maximum storage value set for each user. In general, a policy is configured to define what a subject can do to which resource and under what conditions.

The Access Manager Policy Service allows administrators to define, modify, and delete policies for protected resources within the Access Manager deployment. Configured policies are grouped into realms and stored in the Access Manager information tree. The Policy Service relies on the following:

• A Policy Enforcement Point (PEP) protects an enterprise's resources by enforcing access control. The policy agent is the PEP.

• A Policy Decision Point (PDP) is where the policy is evaluated and a determination is made. The Policy Service is the PDP.

• A data store in which configured policies are stored and from which they are retrieved. The proprietary Access Manager information tree is the data store.

The Access Manager Policy Service uses configured policies to determine if a user has been given permission by a recognized authority to access a protected resource. When a user attempts to access a resource protected by a PEP, the PEP contacts the PDP to get a policy decision. The Policy Service evaluates the policies that protect the resource and are applicable to the requesting user. This results in a policy decision indicating whether the user is allowed to access the resource. Upon receiving the decision, the PEP allows or denies access accordingly. This whole process is referred to as authorization.