Authorization rules evaluator

The authorization rules evaluator evaluates authorization rules within the constraints required by the authorization engine. The authorization rules evaluator takes the rule policy attached to the target protected object and evaluates the rule by calling the XSL processor. The input XML document for the transformation contains a definition for how the authorization engine can retrieve one of the following sources for the Authorization decision information (ADI):

The authorization engine expects the rules evaluation to result in the return of one of the string identifiers. These identifiers ensure uniqueness when an XSL rule is written incorrectly and the evaluation returns incorrect information. Delimiting the identifiers with an exclamation point (!) enables the evaluator to identify errant cases.

The identifiers must be the only text in the output document, although they can be surrounded by white space. A value other than the defined valid values or an empty document might be returned. In this case, the access decision fails and an error code is returned to the resource manager to indicate the rule is not compliant. The format of an authorization rule is outlined in Format and constraints of rules.

In addition, the maximum length of any result text that is returned by a rule evaluation is limited to 1023 characters. Rules returning more text than this limit cause the access decision to fail at run time with a minor error code of ivacl_s_rule_result_string_too_large.

Parent topic: Authorization rules management