Example of an external authorization service

In this example, the external authorization service imposes a quota restriction on how often a photo-quality printer resource can be accessed. Figure 1 illustrates an authorization decision that involves an application server and an external authorization service.

Figure 1. External authorization service with an application server
External authorization service with an application server

The service implementation imposes a limit on the number of job submissions that any one person can make to this printer in one week. A trigger condition is attached to the photo printer resource so the external authorization service is called whenever the photo printer is accessed.

The external authorization service is loaded with the default decision weighting of 101. The default decision weighting overrides any decision made by the ISAM authorization service if required.

  1. The resource manager server receives a request from a client for access to an online photo printing resource. The client is a member of the appropriate group GraphicArtists and so is typically permitted to submit jobs to the printer.
  2. The application server first consults the ISAM authorization service to determine whether the requesting user has permission to submit jobs to the printer.
  3. The authorization service verifies the access permissions on the target requested object and compares the permissions against the capabilities of the requesting user: 
    group GraphicArtists rx

    In the ACL on the printer resource, the x permission grants any user in the GraphicArtists group access to the resource. Therefore, the authorization service grants the user permission to submit the job.

  4. The photo printer resource is being accessed and an external authorization service trigger condition is attached to this object. A request is also made to the external authorization service configured for that trigger condition.

    The external authorization service receives all the Access Decision Information (ADI) that was passed in with the original access decision check by the resource manager server.

  5. The external authorization service consults a record of previous accesses made by this user. If the requesting user is within the quota for the week, it returns an access decision of indifferent.

    The external authorization service is indifferent to the request. The service does not participate in the access decision because the conditions for denying access are not present.

    If the user exceeds the quota, then the external authorization service returns a decision of access denied.

    For this example, the requester exceeds the quota. The external authorization service detects this problem and returns an access denied decision.

  6. The ISAM authorization service receives the access denied result from the external authorization service. It then takes this decision and weights it with the default external authorization service weighting value of 101.

    The results of the external authorization service decision and the decision made by the ISAM authorization service are combined. The result is access denied because the result of the external authorization service (-101) outweighs that of the ISAM authorization service (100).

  7. The resource manager server rejects the job submission to the photo printer resource.
  8. The resource manager server returns a response to the caller to indicate the job was rejected.

Parent topic: Authorization evaluation process