Authorization and Policy Service Overview

A policy is a rule that defines who is authorized to access a resource. A single policy can define authorization with either binary or non-binary decisions. (A binary decision is yes/no, true/false or allow/deny. A non-binary decision represents the value of an attribute; for example, a mail service might include a mailboxQuota attribute with a maximum storage value set for each user.) In general, the Policy Service allows administrators to configure, modify, and delete policies. The configured policies are then added to a realm and applied against the subjects in the realm. The Policy Service can be accessed using the Policy Service API: a privileged user can define access control policies using the administration API while a protected application or policy agent can obtain policy decisions using the evaluation API. The Policy Service relies on:

• A Policy Administration Point (PAP) implements the functionality to define policies. The Policy Service is the PAP.

• A Policy Enforcement Point (PEP) to protect an enterprise's resources by enforcing access control. The PEP uses the policy component of the Client SDK to retrieve policy decisions. The policy agent is the PEP.

• A Policy Decision Point (PDP) to evaluate policy and make an access determination. The Policy Service is the PDP.

• A data store in which configured policies are stored and from which they are retrieved. The Configuration Data Store is the data store.

Access to a resource is always preceded by a basic user session in which the requestor is authenticated, a session is created by the Authentication Service, and the session token identifier is validated. (See Chapter 6, Models of the User Session and Single Sign-On Processes.) The policy agent protecting the resource then provides the session token identifier, resource name, desired action, and additional context parameters to the Policy Service which uses configured policies to determine if the user has been given permission to access the protected resource by a recognized authority. When the policy agent gets the decision from the Policy Service, it allows or denies access to the user, enforcing the policy decision provided by Policy Service. This whole process is referred to as authorization. The Policy Service is defined by the amPolicy.xml and, generally speaking:

• Provides a means for defining and managing access policies.

• Provides a means for defining custom policy plug-ins by providing names and class locations.

• Evaluates access policies.

• Acts as a PDP to deliver the result of a policy evaluation.

• Supports the delegation of policy management.

• Provides an SPI for extensibility.

• Provides access from remote clients using the Client SDK.

• Caches and reuses policy decisions, where applicable, to improve performance.

• Allows periodic polling of the Policy Service by a client to update locally cached policy decisions.

• Dynamically recognizes changes to policies and provides policy decisions that reflect them.

The Policy Configuration Service provides a means to specify how policies are defined and evaluated. It enables you to specify, for example, which directory to use for subject lookup, the directory password, which search filters to use, and which subjects, conditions, and response providers to use. This configuration can be done within a realm or a subrealm and is accessible using the OpenSSO Enterprise console.

See Chapter 4, Managing Policies, in Sun OpenSSO Enterprise 8.0 Administration Guide and Chapter 2, Using the Policy Service API, in Sun OpenSSO Enterprise 8.0 Developer’s Guide for more information.