Authorization rules
An authorization rule policy specifies which security policy applies to an object based on various conditions, such as context and environment.
Each authorization rule policy has a unique name and can be applied to multiple objects within a domain.
You define authorization rules in a way similar to definitions of ACL policies and POPs. You specify conditions that must be met before access to a protected object is permitted. You create an authorization rule with a number of conditions. These conditions are based on data supplied to the authorization engine in the user credential from several sources. The conditions can be based on data from the resource manager application and from the encompassing business environment. These conditions are evaluated as a Boolean expression to determine whether access to the object must be granted or denied.
You can work with complex, structured data by using the language of an authorization rule. You can examine values in the rule data and make informed access decisions. You can define the data for an access decision statically within the system or during a business process. Authorization rules provide the flexibility of a policy defined by an external authorization service. Unlike an external authorization service, you do not have to build an external authorization service into a shared library plug-in to use the authorization rules.
How authorization rules differ
ACL policies use a predefined set of operations to control which users and groups have permission to do operations on a protected object. Rules decide whether to grant access based on the attributes of a user or object and the context and environment.
For example, the ability of a user to read data associated with an object is either granted or denied by an ACL policy. POPs apply to all users and groups and control conditions that are specific to a particular protected object. For example, time-of-day access excludes all users and groups from accessing an object outside of the times set in the time-of-day policy.
Unlike ACL policies, authorization rules determine whether to allow access based on the attributes of a person or object. The authorization rules also take into account the context and environment that surrounds the access decision. For example, you can use a rule to implement a time-of-day policy that depends on the user or group. You can use an authentication rule to extend the controls provided by the ACL policies to implement a more advanced policy. For example, you can develop a policy based on quotas.
An ACL policy can grant a group permission to write to a resource. A rule can extend the policy. For example, a rule can evaluate whether a group exceeds a specified quota before it permits the group to write to a resource.
When to use authorization rules
In the authorization process, the entire security policy (ACL policies, POPs, and authorization rules) must permit access to the protected object before access is granted. Authorization rules provide the flexibility to extend an ACL policy or POP by tailoring the security policy to your needs.
Authorization rules can extend a policy implemented by other Security Access Manager policy types. These rules are not merely extensions of the existing policy types. An authorization rule is a policy type that is robust enough to replace the ACL policy and POP. Using ACL policies and POPs generally provides better performance. Use an authorization rule to complement these policies instead of replacing them.