Configure an Authorization Policy

Create an authorization policy for each resource in your enterprise application and define the conditions in which users are allowed or denied access to the resource.

Prerequisite

Enable Authorization Policy. Oracle must enable this feature for you. To learn about the features that Oracle must enable for you and how to enable them, see Service Request Features for Oracle Identity Cloud Service.

Note:

Although the Authorization Policy section appears during enterprise application configuration, the ability for App Gateway and Oracle Identity Cloud Service to validate authorization must be turned on for you. If you don't file a Service Request, your App Gateway won't perform authorization verification despite you having configured the Authorization Policy section.

Note:

Authorization policies only work for resources that you protect with Form or Access Token authentication method in an authentication policy. If your resource is protected with any other authentication method, App Gateway doesn't perform authorization check when users try to access the resource using a web browser.

Authorization policies define under what conditions users are allowed or denied access to application resources. When App Gateway intercepts an HTTP request to a resource endpoint, App Gateway verifies whether the enterprise application in Oracle Identity Cloud Service contains authorization policies for the resource. If so, then App Gateway verifies whether the HTTP request matches one of the rules configured to allow or deny access.

For example, you can configure an allow rule to allow all members of the Employees group to access the /myapp/private/home resource, and configure a deny rule to deny access to this resource for users authenticated by the My External SAML IDP identity provider.
  1. In the SSO Configuration tab of your enterprise application page, expand the Authorization Policy section.
  2. In the Allow Rules section, click Add, specify a Rule Name, and then complete the following fields.

    Table 5-2 Add Allow Rule Options

    Conditions Description

    If the resource is

    Select one of the resources configured in the enterprise application.

    And the HTTP Method is

    Select the HTTP Methods associated with this rule. The rule will be valid only for the selected HTTP Methods.

    And if the user is authenticated by

    Select the identity providers that are active in Oracle Identity Cloud Service. If the user is signed in using one of these identity providers, then App Gateway allows access to the resource. Local IDP refers to users authenticated by Oracle Identity Cloud Service.

    And is a member of these groups

    Select Oracle Identity Cloud Service's groups. If the signed in user is a member of one of the selected groups, then App Gateway allows access to the resource.

    And is not one of these users

    Select Oracle Identity Cloud Service users. If the signed in user is not one of the selected users, then App Gateway allows access to the resource.

    And the user's client IP address is

    Select the IP address range the HTTP request are made from.

    • Anywhere: App Gateway doesn't validate the IP address from where the HTTP request was made.
    • In one or more of these network perimeters: Select this option, and then select the network perimeters associated with this rule. If the IP address from where the HTTP request was made is specified in one of the network perimeters, then Access Gateway allows access to the resource.

    And access is

    Select a time of the day (From and To), select which days of the week, and then the timezone in which the rule is valid.

    App Gateway allows access to the resource only if the HTTP Request is made within the period configured.

    All the conditions configured for an allow rule must be met so that App Gateway can perform the action configured for the rule.
  3. In the Actions section of the Add Allow Rule window, click Add for Headers, enter name for the HTTP header and then select a user attribute as value. Repeat this step for all headers you want to configure for this rule.
    If the user is allowed access to the resource, App Gateway adds these header variables with the corresponding values to the HTTP request before forwarding the request to the application.
  4. Click Add to add the allow rule.
  5. In the Deny Rules section, click Add Deny Rule, specify a Rule Name, and then complete the following fields.

    Table 5-3 Add Deny Rule Options

    Conditions Description

    If the resource is

    Select one of the resources configured for the enterprise application.

    And the HTTP Method is

    Select the HTTP Methods to associate with this rule.

    And if the user is authenticated by

    Select identity providers that are active in Oracle Identity Cloud Service. If the user is signed in using one of these identity providers, then App Gateway denies access to the resource. Local IDP refers to users authenticated by Oracle Identity Cloud Service.

    And is a member of these groups

    Select Oracle Identity Cloud Service groups. If the signed in user is member of one of the selected groups, then App Gateway denies access to the resource.

    And is not one of these users

    Select the Oracle Identity Cloud Service users. If the signed in user is not one of the selected users, then App Gateway denies access to the resource.

    And the user's client IP address is

    Select the IP address range the HTTP request are made from.

    • Anywhere: App Gateway doesn't validate the IP address from where the HTTP request was made.
    • In one or more of these network perimeters: Select this option, and then select the network perimeters to associate with this rule. If the IP address from where the HTTP request was made is specified as one of the network perimeters, then Access Gateway denies access to the resource.

    And access is

    Select a time of the day (From and To), select which days of the week, and then the timezone in which the rule is valid.

    App Gateway denies access to the resource if the HTTP Request is made within the period configured.

    All the conditions configured for a deny rule must be met so that App Gateway can perform the action configured for the rule.
  6. In the Actions section of the Add Deny Rule window, select the action App Gateway must perform when a deny rule condition matches the resource's HTTP request.
    • None: App Gateway redirects the user browser to the URL you've set in the Custom Error URL parameter of the enterprise application. If this parameter has no value, then App Gateway redirects the user browser to the URL set in the Error URL parameter of the Session Settings.
    • Logout: Logs the user out from Oracle Identity Cloud Service.
  7. Click Add to add the deny rule.
  8. In the Settings section, select Time to live in minutes to define for how long App Gateway caches any authorization policy evaluation that has been performed.
    By caching these policy evaluation, App Gateway doesn't need to communicate with Oracle Identity Cloud Service in subsequent HTTP request made by the user for the same resource.