Security policy overview

The goal of any security policy is to adequately protect business assets and resources with a minimal amount of administrative effort. High-level steps include determining which resources to protect and the level of access that users get to those resources.

1. Define what resources need to be protected. Protected resources might be any type of data object, such as files, directories, network servers, messages, databases, or web pages.
2. Determine what users and groups of users can access to these protected resources. Also consider what type of access to these resources is permitted.
3. Apply the appropriate security policy on these resources to ensure that only the right users can access them.

The enforcement of the security policy is the job of the resource manager. The resource manager calls the Security Access Manager authorization service with the credentials of the user that makes the request. The call includes the type of access wanted and the object to be accessed. The credential provides detailed information, acquired during authentication, that describes the user, any group associations, and other security-related identity attributes. Credentials can be used to do a multitude of services, such as authorization, auditing, and delegation.

The authorization service is also called the authorization engine. The authorization service uses the security policy to determine whether the request is allowed or denied. The request might also be conditionally allowed pending additional verification by the resource manager. The resource manager takes the recommendation of the authorization service. The resource manager does any additional verification actions and ultimately either denies the request or permits the request to be processed.

For example, suppose that John wants to access a particular web page that is on a website protected by Security Access Manager WebSEAL. WebSEAL is a resource manager that manages and protects web-based information and resources. It must decide whether "John" can access that page. The resource manager obtains the credentials for John, and then asks the authorization service whether John has read access to the web page. The authorization service checks the security policy and determines that John is permitted access. The service responds to the resource manager that the request is granted. The resource manager then directs the request to the appropriate back-end web server, which provides the web page.

The security policy in Security Access Manager is defined through the use of access control lists (ACLs), protected object policies (POPs), and authorization rules.