An appliance with Advanced Access Control uses attributes to provide information about
users and devices that try to access a protected resource. The appliance also includes a set of
commonly used attributes called predefined attributes.
Five values describe each predefined attribute:
Table 1. Predefined
attribute categories. Categories indicate the type of
information that each attribute conveys.
| Category |
Category description |
| Action |
Indicates the user action. |
| Environment |
Indicates when and how the user is trying to access the resource. |
| Resource |
Gives information about what the user is trying to access. |
| Subject |
Indicates who is trying to access the resource. |
Table 2. Predefined
attribute types
| Type |
Type description |
| Access policy |
The administrator uses policy attributes to create policies. |
| Risk profile |
The administrator uses risk attributes to create risk profiles. |
Table 3. Predefined
attribute data types. Each predefined attribute has a
data type. Data types are classifications that identify the
possible values for each type of attribute.
| Data type |
Data type description |
| Boolean |
Condition that refers to two possible values:
|
| Date |
Date of the request. |
| Integer |
Number that can be written without a fractional or decimal
component. |
| String |
Sequence of characters. |
| Time |
Time of the request. |
| X500Name |
Values with distinguished names. |
Table 4. Predefined
attribute source types. Source types indicate the source
of each attribute.
| Source type |
Source type description |
| Active |
Collected by the attribute collection service. The administrator
must add JavaScript to
the application so that active attributes can be collected.
For example: system fonts. |
| Derived |
Generated by a policy information point (PIP). For example:
risk score. |
| Passive |
Collected from the browser by the external authorization service
(EAS) and placed into an XACML request. Attributes with this
source type are collected by the policy enforcement point
(PEP) without installing more software or challenging the client to
provide more details. For example: user-agent HTTP header
and client IP address. |
Table 5. Predefined
attribute sources. Sources indicate where the attributes
originate from.
| Source |
Source description |
| Attribute collection service |
Collects information about the user device such as browser
information, the operating system of the device, and the
language of the device. |
| Consent external authentication interface |
Asks the user for a device registration decision. |
| Device fingerprint count PIP |
Counts the number of devices that are associated with the user. |
| Fiberlink MaaS360 PIP |
Retrieves device attributes from the registered MaaS360 device inventory. |
| Geolocation PIP |
Looks up the location of the user that is based on the IP address. |
| HTTP headers |
Provides information about the request. |
| IP reputation PIP |
Generates the IP reputation. See IP reputation for
more information about IP reputation. |
| POST data |
Collects information about the user and sends it to the external
authorization service (EAS) as POST data.
The EAS inserts this POST data
into the decision request. |
| Risk engine |
Generates the risk score. See Risk score calculation for more information
about risk score calculation. |
| System time |
Keeps the time of the system. |
| Verify Identity Access credential |
Collects information about the user from Verify Identity Access. |
| Worklight
JavaScript PIP |
Parses the POST data from a Worklight adapter invocation and returns custom attributes that are
created from the data that is contained within the POST from the
parameters element. |