Administering protected objects
Define protected objects that reflect the resources that your security policy protects.
Verify Identity Access defines two types of protected objects: container objects and resource objects. Understand these concepts before you create and administer protected objects.
The name of a protected object can be of any length and contain any character. The forward slash (/) character is interpreted to be part of the object hierarchy, which allows ACLs to be attached at the various points that are indicated by the forward slash character.
After you create a protected object, you can specify a security policy for it by defining and attaching ACLs, POPs, authorization rules, or any combination of these entities.
For more information about the Verify Identity Access security concepts, see the IBM Verify Identity Access for Web: Administration Guide.
When you implement protected objects programmatically, use caution. In many cases, the protected object hierarchy is manually designed, built, and tested by a security expert. Carefully review the hierarchy to ensure that the security policy is correctly enforced. If you choose to build protected object hierarchies programmatically, be sure to test and review the settings for each object before you deploy the security environment.
Table 1 lists the functionsmethods available to administer protected objects.
| FunctionsMethods | Description |
|---|---|
| ivadmin_protobj_attachacl() PDProtObject.attachAcl |
Attaches the specified access control list to the specified protected object. |
| PDProtObject.attachPop |
Attaches a POP to the specified protected object. |
| ivadmin_protobj_attachauthzrule() PDProtObject.attachAuthzRule |
Attaches an authorization rule to the specified protected object. |
| ivadmin_protobj_create()PDProtObject.createProtObject | Creates a Verify Identity Access protected object. |
| ivadmin_protobj_delete()PDProtObject.deleteProtObject | Deletes the specified Verify Identity Access protected object. |
| ivadmin_protobj_detachacl() PDProtObject.detachAcl |
Detaches the access control list from the specified protected object. |
| PDProtObject.detachPop |
Detaches a POP from the specified protected object. |
| ivadmin_protobj_detachauthzrule() PDProtObject.detachAuthzRule |
Detaches an authorization rule from the specified protected object. |
| ivadmin_protobj_get3()PDProtObject constructor | Gets the specified protected
object.Instantiates the specified protected
object. If the protected object name specified
does not exist, default values are shown. To determine that a protected
object exists, use PDProtObject.exists. |
| ivadmin_protobj_getaclid()PDProtObject object.getAclId | Gets the name of the ACL attached to the specified protected object. |
| ivadmin_protobj_geteffaclid()PDProtObject object.getEffectiveAclId | Gets the name of the ACL in effect for the specified protected object. |
| ivadmin_protobj_getpopid() PDProtObject object.getPopId |
Gets the name of the POP attached to the specified protected object. |
| ivadmin_protobj_geteffpopid() PDProtObject object.getEffectivePopId |
Gets the name of the POP in effect for the specified protected object. |
| ivadmin_protobj_getauthzruleid() PDProtObj object.getAuthzRuleId |
Gets the name of the authorization rule object that is attached to the specified protected object. |
| ivadmin_protobj_geteffauthzruleid() PDProtObj object.getEffectiveAuthzRuleId |
Gets the name of the authorization rule object that is in effect for the specified protected object. |
| ivadmin_protobj_getdesc()PDProtObject object.getDescription | Gets the description of the specified protected object. |
| ivadmin_protobj_getid()PDProtObject object.getId | Gets the name of the specified protected object. |
| ivadmin_protobj_getpolicyattachable()PDProtObject object.isPolicyAttachable | Indicates whether a protected object policy or access control list can be attached to the specified protected object. |
| ivadmin_protobj_exists()PDProtObject object.exists | Indicates whether a protected object exists. |
| ivadmin_protobj_access()PDProtObject object.access | Indicates whether a specific action to a specific object is permitted. |
| ivadmin_protobj_multiaccess()PDProtObject object.multiAccess | Indicates whether the specified actions to the specified objects are permitted. |
| ivadmin_protobj_getpopid()PDProtObject.listProtObjectsByPop | Gets the name of the protected object policy for the specified protected object.Returns a list of protected objects that have the specified protected object policy (POP) attached. |
| ivadmin_protobj_list3()PDProtObject.listProtObjects | Returns the protected objects contained under the specified directory. |
| ivadmin_protobj_listbyacl()PDProtObject.listProtObjectsByAcl | Returns a list of protected objects that have the specified access control list attached. |
| ivadmin_protobj_setdesc() PDProtObject.setDescription |
Sets the description field of the specified protected object. |
| ivadmin_protobj_setpolicyattachable() PDProtObject.setPolicyAttachable |
Sets whether a protected object policy or access control list can be attached to the specified protected object. |
| ivadmin_protobj_settype() | Sets the type of the specified protected object. |
| ivadmin_protobj_listbyauthzrule() PDProtObj.listProtObjectsByAuthzRule |
Lists the protected objects that have the specified authorization rule attached. |
For detailed reference information about these methods, see the Javadoc HTML documentation.