Protected object policy management

Protected object policy management

The access control list (ACL) policies provide the authorization service with information to make a yes or no answer on a request to access a protected object and do some operation on that object. A protected object policy (POP) contains additional conditions on the request. The conditions are passed back to the resource manager along with the yes ACL policy decision from the authorization service.
It is the responsibility of ISAM and the resource manager to enforce the POP conditions.
Available attributes for a POP that are provided by ISAM.

POP attribute Description

Name Name of the policy. This attribute relates to the pop-name variable in the pop command documentation.

Description Descriptive text for the policy. This attribute occurs in the pop show command.

Warning mode Provides administrators a means to test ACLs, POPs, and authorization rules. Warning mode provides a way to test the security policy before it is made active.

Audit level Type of auditing: all, none, successful access, denied access, or errors. Audit level informs the authorizations service that extra services are required when permitting access to the object.

Time-of-day Access Day and time restrictions for successful access to the protected object. Time-of-day places restrictions on the access to the object.

IP endpoint authorization method policy Specifies authorization requirements for access from members of external networks. The IP endpoint authentication method policy places restrictions on the access to the object.

EAS trigger attributes Specifies an External Authorization Service (EAS) plug-in that is started to make an authorization decision with the externalized policy logic of the customer.

Quality of Protection Degree of data protection: none, integrity, or privacy. Quality of Protection informs the authorizations service that extra services are required when permitting access to the object.

Although ISAM provides these POP attributes, it enforces only the following attributes:

Name
Description
Warning mode
Audit level
Time-of-day Access
Each resource manager or plug-in can optionally enforce one or more of the following attributes:

IP endpoint authorization method policy
EAS trigger attributes
Quality of Protection
For Security Verify Access IP address support:

We can grant access to a protected resource based on the IP address used by the identity. For example, only users from IP address 9.18.n.n are allowed to access the protected resource.
We can define that an additional authentication level is required to access this protected resource based on the IP address used by the identity. The step-up level authentication is described in Configure levels for step-up authentication and the IBM Security Verify Access for Web: WebSEAL Administration Guide.

Manage protected object policies

Network-based authorization algorithm

Network-based authorization policy

Configure POP attributes

Step-up authentication

Parent topic: Verify Access Platform and Supporting Components administration

POP attribute	Description
Name	Name of the policy. This attribute relates to the pop-name variable in the pop command documentation.
Description	Descriptive text for the policy. This attribute occurs in the pop show command.
Warning mode	Provides administrators a means to test ACLs, POPs, and authorization rules. Warning mode provides a way to test the security policy before it is made active.
Audit level	Type of auditing: all, none, successful access, denied access, or errors. Audit level informs the authorizations service that extra services are required when permitting access to the object.
Time-of-day Access	Day and time restrictions for successful access to the protected object. Time-of-day places restrictions on the access to the object.
IP endpoint authorization method policy	Specifies authorization requirements for access from members of external networks. The IP endpoint authentication method policy places restrictions on the access to the object.
EAS trigger attributes	Specifies an External Authorization Service (EAS) plug-in that is started to make an authorization decision with the externalized policy logic of the customer.
Quality of Protection	Degree of data protection: none, integrity, or privacy. Quality of Protection informs the authorizations service that extra services are required when permitting access to the object.