Authorization

The API Access Control component introduces a new objectspace named /WebSEAL_API. The new objectspace is used to contain the protected objects that represent both resource servers and resources (described below). The hierarchy of the protected objects in this objectspace resembles the WebSEAL objectspace:

/WebSEAL_API/<hostname>-<instance_name>/<resource_server>/<resource>

The objectspace is managed by the API Access Control component and any requests made to a protected API will use it in the authorization decision. The protected object used in the access control decision depends upon the configuration of the API Access Control policy.

1. If a non default policy is applied to the API Access Control resource, the ACL and/or POP that is attached to the resource protected object is used for the access control decision.

2. If a non default policy is applied to the API Access Control resource server, the ACL and/or POP attached to the resource server protected object is used for the access control decision.

3. If the default policy is specified for the resource and resource server the ACL and/or POP attached to the WebSEAL junction protected object is used for the access control decision.

The following diagram shows the flow of the protected objects used in an access control decision when default policy is applied to the resource and resource server.

Parent topic: Overview of the API Access Control