Sun Java System Federation Manager 7.0 User's Guide

Authorizer


Note –

This functionality is not supported.


Before processing a request, the Liberty Personal Profile Service will verify the authorization of the WSC making the request. There are two levels of authorization check:

  1. Is the requesting entity authorized to access the requested resource profile information?

  2. Is the requested resource published to the requestor?

Authorization occurs via a plug-in to the Liberty Personal Profile Service: an implementation of the com.sun.identity.liberty.ws.interfaces.Authorizer interface. Although a new implementation can be developed, Federation Manager provides the default class, com.sun.identity.liberty.ws.idpp.plugin.IDPPAuthorizer. This plug-in defines four policy action values for the query and modify operations:

The resource values for the rules are similar to x-path expressions defined by the Liberty Personal Profile Service. For example, a rule can be defined like the example below.


Example 9–1 Rules for Authorization


/PP/CommonName/AnalyzedName/FN    Query   Interact for consent
/PP/CommonName/*                  Modify  Interact for value
/PP/InformalName                  Query   Deny

Authorization can be turned off by deselecting one or both of the following attributes also defined in the Liberty Personal Profile Service: