Authorization rules

An authorization rule specifies the policy that applies to an object and based on various conditions, such as context and environment. Each authorization rule has a unique name and can be applied to multiple objects in a domain.

Like ACL policies and POPs, authorization rules are defined to specify conditions that must be met before access to a protected object is permitted. An authorization rule is created with a number of Boolean conditions. The conditions are based on data that is supplied to the authorization service in the user credential. Data might also be supplied from the resource manager or from the encompassing business environment. The language of an authorization rule allows customers to work with complex, structured data, by examining the values in that data, and making informed access decisions. This information can be defined statically in the system or defined during a business process. Authorization rules can be used to implement extensible attribute-based authorization policy with attributes in the business environment or attributes from trusted external sources.

The authorization rule is stored as a text rule in a rule policy object. The rule is attached to a protected object in the same way and with similar constraints as ACL policies and POPs.

Parent topic: Define and apply security policy