Web access overview

Protected resources

Protected resources are web applications and servers that you want to secure behind Cloud Identity Service. Common examples of protected resources include web portals, Java™ Platform, Enterprise Edition application servers, Microsoft .NET web applications that run on IIS, and static HTML content servers.

After a user is authenticated, requests from that user will pass through the Cloud Identity Service to your protected resources. Each request is inspected by Cloud Identity Service and compared against your authorization policies. Factors such as role, group, and service membership, time of day, and network IP, can all play a part in whether a user is authorized to access a resource or perform a transaction.

You use the Web Applications interface to define and manage connections to client application servers. You also manage the policies that are attached to connections and path (protected) objects that make up the connection object space on each client application server.

Authorization policies

Access Control Lists (ACLs) define who can access which protected resources and what they can do with resources they have access to. Protected Object Policies (POPs) qualify access to resources by stipulating time-of-day constraints, and by stipulating constraints on ranges of IP addresses. A policy is enforced by attaching the policy to a junction or path object. When a policy is attached to a connection, the policy is applied to the connection and all child objects. An inherited policy is overridden if other policies are attached at a lower level.