Policy Subjects
A subject specifies by implication the user or collection of users that the policy affects. You can implement custom subjects by using Policy APIs. You can assign subjects to policies. Access Manager includes the following subjects:
- Access Manger Roles
-
The roles you create and manage under the Realms Subject tab can be added as a value of the subject.
- Access Manager Identity
-
The identities you create and manage under the Realms Subject tab can be added as a value of the subject.
- Authenticated Users
-
Any user with a valid SSOToken is a member of this subject. All authenticated users would be member of this Subject, even if they have authenticated to a realm that is different from the realm in which the policy is defined. This is useful if the resource owner would like to give access to resources that is managed for users from other realms.
- LDAP Groups
-
Any member of an LDAP group can be added as a value of this subject.
- LDAP Roles
-
Any LDAP role can be added as a value of this subject. An LDAP Role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.
- LDAP Users
-
Any LDAP user can be added as a value of this subject.
- Organization
-
Any organization can be added as a value of this subject
- Web Services Clients
-
Valid values are the DNs of trusted certificates in the local JKS keystore, which correspond to the certificates of trusted WSCs. This subject has dependency on the Liberty Web Services Framework and should be used only by Liberty Service Providers to authorize WSCs. A web service client (WSC) identified by the SSOToken is a member of this subject, if the DN of any principal contained in the SSOToken matches any selected value of this subject.
- © 2010, Oracle Corporation and/or its affiliates