Authorization rules evaluator
The authorization rules evaluator evaluates authorization rules within the constraints that are required by the authorization engine.
The authorization rules evaluator takes the rule policy that is
attached to the target protected object and evaluates the rule by
calling the XSL processor. The input XML document for the transformation
contains a definition for how the authorization engine can retrieve
one of the following sources for the ADI:
- User credential entitlements that request the authorization
- Application context information that is passed in by the access decision call (passed in by the resource manager)
- Security Verify Access authorization engine context
- Dynamic ADI retrieval entitlement services
The authorization engine expects the rules evaluation to result
in the return of one of the string identifiers as shown in Table 1. These identifiers ensure
uniqueness when an XSL rule is written incorrectly and the evaluation
returns incorrect information. Delimiting the identifiers with an
exclamation point (
The identifiers must be the only text in the output document,
although they can be surrounded by white space. A value other than
the defined valid values or an empty document might be returned. In
this case, the access decision fails and an error code is returned
to the resource manager to indicate that the rule is not compliant.
The format of an authorization rule is outlined in Format and constraints of rules.
!) enables the evaluator to identify
errant cases.
| Delimiter | Meaning |
|---|---|
!TRUE! |
Access is permitted. |
!FALSE! |
Access is denied. |
!INDIFFERENT! |
The rules engine has no opinion. |
In addition, the maximum length of any result text that is returned
by a rule evaluation is limited to 1023 characters. Rules returning
more text than this limit cause the access decision to fail at run
time with a minor error code of ivacl_s_rule_result_string_too_large.