Methods of providing ADI to the rules evaluator

A resource manager application can provide ADI from the resource manager to the rules evaluator in one of two ways.

• Add the attributes to the application context parameter.

  Attributes are added to parameter passed to azn_decision_access_allowed_ext(). The problem with this method is the resource manager must know which ADI will be needed by a particular access decision. This is acceptable and even desirable for a smaller set of ADI.

• Configure the rules evaluator to supply the missing ADI to the authorization engine only when it is explicitly requested.

  Used for a larger and more varied set of possible ADI. With this method, the authorization engine can be configured with a set of ADI prefixes that can be provided by the resource manager upon request. The authorization engine fails the access decision and notifies the resource manager of the ADI it needs in a permission information attribute returned by the azn_decision_access_allowed_ext() method. The attribute contains a list of the ADI needed to successfully evaluate the rule. The ADI was not found in the application context that was passed in. The ADI also did not have a prefix matching those prefixes the resource manager identified as its own.

The permission information attribute is named azn_perminfo_rules_adi_request and contains a text attribute value for each item of ADI required. The resource manager looks for this attribute when the access decision fails. When it is present, the resource manager scans the list of ADI names in the attribute and gathers the requested data to try the access decision with this additional data again. If the requested data cannot be provided, the resource manager must deny access and log the problem as a failure due to insufficient rules data. The requested list contains only the ADI items that are identified as being provided by the resource manager. The unique prefix added to the attribute name is used to identify the ADI. All resource managers that provide data to the evaluation process in this manner must define a unique prefix by which their ADI data set can be identified.

Permission information is returned to a resource manager application only when the authorization client was configured that way. To activate the return of the azn_perminfo_rules_adi_request permission information attribute, the name of this attribute must either be added to the azn_init_set_perminfo_attrs initialization attribute or the equivalent permission-info-returned entry in the [aznapi-configuration] stanza.

The ADI prefixes recognized by the resource manager can be configured using the resource-manager-provided-adi entry or the azn_init_resource_mgr_provided_adi initialization attribute.

The authorization engine attempts to anticipate the need to request information from the resource manager by obtaining the rule policy object on the protected object early in the access decision process. The authorization engine then compares the required ADI in the rule with the ADI names in the application context parameter passed by the resource manager. The ADI names, which are missing from the application context and which are specific to the resource manager, are added to the returned permission information object.

ADI prefixes must be unique to identify them as resource manager ADI and to avoid conflict with ADI provided in the credential from the authorization engine or from an external data provider.

Parent topic: Authorization rules evaluator