Network-based authorization policy

Use the network-based authorization policy to control access to objects based on the IP address of the user.

When an environment contains both IP version 4 (IPv4) and IP version 6 (IPv6) address formats, be aware of the following restrictions:

For administration commands (for example, pop modify set ipauth), IPv4 clients must provide addresses in IPv4 format even with IPv6 servers.
For C APIs, IPv4 clients must provide addresses in IPv4 format even with IPv6 servers.
For C APIs, IPv6 clients can provide addresses in IPv4 or IPv6 format to IPv6 servers.
For Java™ methods, both IPv4 and IPv6 clients must provide addresses in IPv4 format to IPv4 servers.
For Java methods, IPv4 clients can provide addresses in IPv4 or IPv6 format to IPv6 servers.

For an IPv6 address to be accepted (commands, C APIs, and Java methods), the server must be IPv6. You cannot provide an IPv6 address to an IPv4 server.

The network-based authorization policy is set in the IP endpoint authentication method attribute of a POP. You can use this functionality to prevent specific IP addresses or IP address ranges from accessing any resources in your domain. When setting an authorization policy, you can apply requisite step-up configuration.

When you define a network-based authentication policy, specify these parts of the attribute:

Step-up authentication
Allowed networks

You can also apply step-up authentication configuration to this policy and require a specific authentication method for each specified IP address range. See Step-up authentication.

Note: The IP address used by the resource manager for enforcing the network-based authorization policy must be the IP address of the originator of the connection.

In this case, the resource manager cannot definitively identify the true IP address of the client. When setting a network-based authorization policy that depends on specific client IP addresses, ensure that those network clients are connecting directly to the resource manager.