Authorization Policy
One of the key capabilities of the IBM® Application Gateway (IAG) is being able to apply authorization policies to requests, controlling who is able to access your protected resources. A detailed description of the authorization policy concepts is contained in the Authorization page.
Configuration
Rule Definition
Frequently used authorization rules can be defined in the authorization rules YAML node. Once defined these rules can then be referenced within the authorization policy definition itself.
Policy Definition
The authorization policy, which controls who can access the protected resources, can be defined in the authorization policies YAML node.
If no authorization policy is defined the default policy is to:
- Allow any authenticated user access, if an identity provider is defined;
- Allow any user access (without requiring authentication), if no identity provider is defined.
An example configuration file, which illustrates how to define an authorization policy, is also available in the Authorization example page.