Authorization evaluation process
ISAM uses a multi-step process to evaluate authorization requests.
An authorization decision that incorporates an external authorization server takes place in the following manner:
- If a trigger condition is met during an access decision, the external authorization services that were configured for that condition are each called in turn. The external authorization services evaluate their own external authorization constraints.
Invocation of the external authorization service occurs regardless of Whether the necessary permission is granted to the user by the ISAM authorization service.
- Each external authorization service returns a decision of permitted, denied, or indifferent.
When indifferent is returned, the external authorization service determined that its functionality is not required for the decision process and that it does not participate.
- Each external authorization service decision is weighted according to the level of importance that its decision carries in the process.
The weighting of individual external authorization services is configured when the service plug-in is loaded.
- All authorization decision results are summed and combined with the decision made by the ISAM authorization service. The resulting decision is returned to the caller.
- Example of an external authorization service
In this example, the external authorization service imposes a quota restriction on how often a photo-quality printer resource can be accessed.
Parent topic: External authorization capability