Policy information points gather information from the request
or other sources, such as databases.
The appliance provides several policy information points that are
configured to use data from the request. You can use the predefined
attributes from these policy information points in your policy
evaluations. For more information about predefined attributes, see
Predefined attributes.
Note: You
cannot delete or modify these preconfigured PIPs through the
local management interface. However, you can modify a few settings
for some of them with the advanced configuration properties.
See
Advanced configuration properties for details.
- Session attribute PIP
- Returns attributes that are related to session information, such
as browser information and device characteristics.
- GeoLocation attribute PIP
- Returns geographic location attributes, such as the city and country
code where the device is located.
- Risk Calculator PIP
- Returns the RiskScore attribute.
- IP Reputation PIP
- Returns the IP address reputation score.
- User Fingerprint Count PIP
- Returns the number of fingerprints that are registered for a user.
The appliance also supports a PIP that uses data from outside of
the appliance. You must configure this PIP
before you can use it and the attributes it returns. See
Managing policy information points.
- RESTful Web Service PIP
- Returns attributes from data that is obtained from a RESTful web
service that is hosted outside
of the appliance. You can configure multiple instances of
this PIP to access different
web services.
- JavaScript PIP
- Returns attributes from data that is obtained from:
- WebSEAL or Web Reverse Proxy data such as HTTP headers or POST data
in the request
- Other PIPs
The JavaScript PIP processes this unstructured
data and parses it so that the administrator can use it to write authorization policies and risk
policies.
- Database PIP
- Returns attributes from data that is hosted outside of the appliance by using SQL
SELECT query statements. You can define information points for the following types of databases:
You can configure more than one database policy information point instance so that different
data sources can be accessed. Within the configuration, you define a query that can allow multiple
attributes to be populated. You can then define a policy that relies on the custom attributes that
you created.
- LDAP PIP
- Obtains attributes from a registry hosted outside of the appliance by using LDAP searches. For
example, you might want to determine dynamically the credit limit for a user that triggers higher
authentication requirements. To make such a determination, a customer directory or database is
consulted. An LDAP PIP provides the following function:
- Multiple instances of a configuration are allowed so that different registries can be accessed.
- Multiple attributes can be populated from a single search.
- Support for Active Directory, IBM Security Director
Server, Oracle Directory Server, and any LDAP v3 compliant server.
For SSL connections to the LDAP server, only server authentication is supported.
- Fiberlink
MaaS360 PIP
- Enables the use of device attributes from registered devices in MaaS360 in access policies.
Separate PIPs are available for browser-based web applications and MaaS360 SDK-based applications or
wrapped apps. You can use either PIP to populate the MaaS360 attributes in access policy. For
complete instructions on how to set up your appliance to integrate with Fiberlink MaaS360, see http://www.ibm.com/support/docview.wss?uid=swg24038325. The .zip file
contains an integration guide PDF file.