Authorization process

The authorization process determines whether an authenticated user has the right to perform an operation on a specific resource in a secure domain.

When WebSEAL enforces security in a secure domain, each user must provide proof of its identity. In turn, Security Access Manager security policy determines whether that user is permitted to perform an operation on a requested resource. Because access to every Web resource in a secure domain is controlled by WebSEAL, WebSEAL's requirements for authentication and authorization can provide comprehensive network security.

In security systems, authorization is distinct from authentication. Authentication can validate the identity of a user, but says nothing about the user's right to perform operations on a protected resource.

In the Security Access Manager authorization model, authorization policy is implemented independently of the mechanism that is used for user authentication. Users can authenticate their identity by using either public and private key, secret key, or customer-defined mechanisms.

Part of the authentication process involves the creation of a credential that describes the identity of the user. Authorization decisions that are made by an authorization service are based on user credentials.

The resources in a secure domain receive a level of protection as dictated by the security policy for the domain. The security policy defines the legitimate participants of the secure domain and the degree of protection that surrounds each resource that is being protected.

The authorization process consists of the following basic components:

A resource manager is responsible for implementing the requested operation when authorization is granted. WebSEAL is a resource manager.
A component of the resource manager is a policy enforcer that directs the request to the authorization service for processing.

Note: Traditional applications bundle the policy enforcer and resource manager into one process. Examples of this structure include WebSEAL and third-party applications.
An authorization service performs the decision-making action on the request.

The following diagram illustrates the complete authorization process:

Figure 1. Web space protection

A request for a resource from an authenticated user is directed to the resource manager and intercepted by the policy enforcer process.
The resource manager can be WebSEAL (for HTTP, HTTPS access) or a third-party application.
The policy enforcer process uses the Security Access Manager authorization API to call the authorization service for an authorization decision.
The authorization service performs an authorization check on the resource, represented as an object in the protected object space.
1. Security Access Manager POPs are checked first.
2. Next the ACL policy that is attached to the object is checked against the client's credentials.
3. Finally, POPs enforced by the resource manager are checked.
The decision to accept or deny the request is returned as a recommendation to the resource manager (through the policy enforcer).
If the request is finally approved, the resource manager passes the request on to the application responsible for the resource.
The user receives the results of the requested operation.