Role-Based Access Control (RBAC) is used to protect access to the Enterprise Gateway management
services. For example, management services are invoked when a user accesses the server
using the Policy Studio or Service Manager, requests the Welcome page
(http://localhost:8090/ ), or uses the Traffic Monitor or Real-time Monitoring
tools. For more information, see Configuring Role-Based
Access Control.
The RBAC filter is used in the Protect Management and Policy Director
Interfaces policy to perform the following tasks:
- Read the user roles from the configured message attribute
(for example,
authentication.subject.role ).
- Determine which management service is currently being invoked
(which URI, and which SOAP operation and namespace, where applicable).
- Return true if one of the roles has access to the management service
currently being invoked, as defined in the
acl.policy file .
- Otherwise, return false, and the Return HTTP Error 403: Access
Denied (Forbidden) policy is called. The message content of this filter is shown
when a valid user has logged into the browser, but their roles do not give them access to
the URI they have invoked. For example, this occurs if a new user is created and they have
not yet been assigned any roles.
|