Security policy overview
The goal of any security policy is to protect business assets and resources with a minimal amount of administrative effort.
- Define what resources need to be protected, including files, directories, network servers, messages, databases, and web pages.
- Determine what users and groups of users can access to these protected resources, and their level of access.
- Apply the appropriate security policy on these resources.
The enforcement of the security policy is the job of the resource manager, which calls the authorization service with the credentials of the user making the request. The call includes the type of access wanted and the object to be accessed. The credential provides detailed information, acquired during authentication, describing the user, any group associations, and other security-related identity attributes. Credentials can be used to do a multitude of services, such as authorization, auditing, and delegation.
The authorization service is also called the authorization engine. The authorization service uses the security policy to determine whether the request is allowed or denied. The request might also be conditionally allowed pending additional verification by the resource manager. The resource manager takes the recommendation of the authorization service. The resource manager does any additional verification actions and ultimately either denies the request or permits the request to be processed.
For example, suppose that John wants to access a particular web page on a website protected by WebSEAL, which is a resource manager that manages and protects web-based information and resources. It must decide Whether "John" can access that page. The resource manager obtains the credentials for John, and then asks the authorization service whether John has read access to the web page. The authorization service checks the security policy and determines that John is permitted access. The service responds to the resource manager the request is granted. The resource manager then directs the request to the appropriate back-end web server, which provides the web page.
The security policy in ISAM is defined through the use of access control lists (ACLs), protected object policies (POPs), and authorization rules.
Parent topic: Security Verify Access overview