Policy information points

Policy information points

Policy information points (PIPs) gather information from the request or other sources. The appliance provides several PIPs configured to use data from the request. We can use the predefined attributes from these PIPs in the policy evaluations. We cannot delete or modify these preconfigured PIPs through the local management interface. However, we can modify a few settings for some of them with the advanced configuration properties.

Session attribute PIP Returns attributes related to session information, such as browser information and device characteristics.
GeoLocation attribute PIP Returns geographic location attributes, such as the city and country code where the device is located.
Risk Calculator PIP Returns the RiskScore attribute.
IP Reputation PIP Returns the IP address reputation score.
User Fingerprint Count PIP Returns the number of fingerprints registered for a user.

The appliance also supports a PIP that uses data from outside of the appliance.

RESTful Web Service PIP Returns attributes from data that is obtained from a RESTful web service that is hosted outside of the appliance. We can configure multiple instances of this PIP to access different web services.
JavaScript PIP Returns attributes from data that is obtained from:

WebSEAL or web reverse proxy data such as HTTP headers or POST data in the request
Other PIPs
The JavaScript PIP processes this unstructured data and parses it so the administrator can use it to write authorization policies and risk policies.
Database PIP Returns attributes from data that is hosted outside of the appliance by using SQL SELECT query statements. We can define information points for the following types of databases:

DB2®
Oracle

We can configure more than one database policy information point instance so that different data sources can be accessed. Within the configuration, we define a query that can allow multiple attributes to be populated. We can then define a policy that relies on the custom attributes that we created.
LDAP PIP Obtains attributes from a registry hosted outside of the appliance by using LDAP searches. For example, we might want to determine dynamically the credit limit for a user that triggers higher authentication requirements. To make such a determination, a customer directory or database is consulted. An LDAP PIP provides the following function:

Multiple instances of a configuration are allowed so that different registries can be accessed.
Multiple attributes can be populated from a single search.
Support for Active Directory, IBM Security Director Server, Oracle Directory Server, and any LDAP v3 compliant server.

For SSL connections to the LDAP server, only server authentication is supported.
Fiberlink MaaS360 PIP Enables the use of device attributes from registered devices in MaaS360 in access policies. Separate PIPs are available for browser-based web applications and MaaS360 SDK-based applications or wrapped apps. We can use either PIP to populate the MaaS360 attributes in access policy. See IBM Security Access Manager for IBM MaaS360. The .zip file contains an integration guide PDF file.

See also

Manage policy information points

Server connection properties

Manage server connections

RESTful web service PIP

JavaScript PIP

Database PIP

LDAP PIP

Fiberlink MaaS360 PIP

QRadar UBA PIP

Parent topic: Advanced Access Control administration

Session attribute PIP	Returns attributes related to session information, such as browser information and device characteristics.
GeoLocation attribute PIP	Returns geographic location attributes, such as the city and country code where the device is located.
Risk Calculator PIP	Returns the RiskScore attribute.
IP Reputation PIP	Returns the IP address reputation score.
User Fingerprint Count PIP	Returns the number of fingerprints registered for a user.

RESTful Web Service PIP	Returns attributes from data that is obtained from a RESTful web service that is hosted outside of the appliance. We can configure multiple instances of this PIP to access different web services.
JavaScript PIP	Returns attributes from data that is obtained from: WebSEAL or web reverse proxy data such as HTTP headers or POST data in the request Other PIPs The JavaScript PIP processes this unstructured data and parses it so the administrator can use it to write authorization policies and risk policies.
Database PIP	Returns attributes from data that is hosted outside of the appliance by using SQL SELECT query statements. We can define information points for the following types of databases: DB2® Oracle We can configure more than one database policy information point instance so that different data sources can be accessed. Within the configuration, we define a query that can allow multiple attributes to be populated. We can then define a policy that relies on the custom attributes that we created.
LDAP PIP	Obtains attributes from a registry hosted outside of the appliance by using LDAP searches. For example, we might want to determine dynamically the credit limit for a user that triggers higher authentication requirements. To make such a determination, a customer directory or database is consulted. An LDAP PIP provides the following function: Multiple instances of a configuration are allowed so that different registries can be accessed. Multiple attributes can be populated from a single search. Support for Active Directory, IBM Security Director Server, Oracle Directory Server, and any LDAP v3 compliant server. For SSL connections to the LDAP server, only server authentication is supported.
Fiberlink MaaS360 PIP	Enables the use of device attributes from registered devices in MaaS360 in access policies. Separate PIPs are available for browser-based web applications and MaaS360 SDK-based applications or wrapped apps. We can use either PIP to populate the MaaS360 attributes in access policy. See IBM Security Access Manager for IBM MaaS360. The .zip file contains an integration guide PDF file.