Sun Java System Access Manager 7 2005Q4 Technical Overview

Policy Framework

The policy framework in Access Manager is where policy management logic and evaluation logic are implemented. The framework consists of a general Policy Service and the Policy Configuration Service.

The general Policy Service performs three main functions:

Applications host resources. In Access Manager, applications are protected by policy enforcement points (PEP) such as J2EE or web policy agents to enforce access control. Access control is based on the policy decision provided by policy evaluation at the PDP which is the Policy Service.

A policy is a rule that describes who is authorized to access a resource. Policies are grouped into access control realms which together form the Access Manager information tree.

When a user attempts to access a resource protected by a PEP, the PEP talks to the PDP to get a policy decision. At the PDP, which is Access Manager, Policy Service determines and evaluates policies that protect the resource and are applicable to the user. This results in a policy decision indicating whether the user is allowed to access the resource. Upon receiving the decision, the PEP allows or denies access appropriately. This whole process is called authorization.

The general Policy Service enables an administrator to configure custom policy plug-ins by providing names and class location of the custom plug-ins. The Policy Configuration Service provides a means to specify how policies will be defined and evaluated within a realm or subrealm. The Policy Configuration services enables you to specify: which directory to use for subject lookup; which search filters to use; which subjects, conditions, and response providers to use.