You can use the subject and resource oauthScope attributes as part
of an access control decision for a resource.
Before you begin
- Create a reverse proxy instance.
- Run the isamcfg tool. You must configure access control policies and
API protection capabilities.
- Determine the access control resources that your policies must be attached to. If the
resources do not exist, add them.
About this task
To use the OAuth attributes in an access control decision, you must attach the access
control policy and API protection definition in the proper locations in the protected object
space.
Procedure
- Create an access control policy. Specify the oauthScopeResource
attribute, the oauthScopeSubject attribute, or both, in one or more
rules for this policy. See Creating an access control policy.
- Attach the access control policy to an object in the protected object space. See Managing policy attachments.
- Create an API protection definition. See Creating an API protection definition.
- Register an API client that uses the API protection definition you created in step
3. See Registering an API protection client.
- Attach the API protection definition to an object in the protected object space. See
Managing policy attachments.
When you attach the definition to a resource, the resource must be at a level lower
than where the access control policy is attached in step 2. The term lower
means farther away from the root of the protected object space.
For example, in the resource tree
jct/dir1/dir2/protected_resource, you can
attach the access control policy to /jct. Then, attach the API
protection definition to /jct/dir1.
- Deploy the pending changes.
Results
The access decision for a resource at or below the API protection definition involves
the
oauthScope attributes that were defined in the access control
policy.