Use oauthScope attributes in an access control policy

We can use the subject and resource oauthScope attributes as part of an access control decision for a resource.

1. Create a reverse proxy instance.
2. Run the isamcfg tool. Configure access control policies and API protection capabilities.
3. Determine the access control resources that your policies must be attached to. If the resources do not exist, add them.

To use the OAuth attributes in an access control decision, we must attach the access control policy and API protection definition in the proper locations in the protected object space.

Steps

1. Create an access control policy. Specify the oauthScopeResource attribute, the oauthScopeSubject attribute, or both, in one or more rules for this policy. See Create an access control policy.
2. Attach the access control policy to an object in the protected object space. See Manage policy attachments.
3. Create an API protection definition. See Create an API protection definition.
4. Register an API client that uses the API protection definition we created in step 3. See Registering an API protection client.
5. Attach the API protection definition to an object in the protected object space. See Manage policy attachments.

   When you attach the definition to a resource, the resource must be at a level lower than where the access control policy is attached in step 2. The term lower means farther away from the root of the protected object space.

   For example, in the resource tree jct/dir1/dir2/protected_resource, we can attach the access control policy to /jct. Then, attach the API protection definition to /jct/dir1.

6. Deploy the pending changes.

The access decision for a resource at or below the API protection definition involves the oauthScope attributes that were defined in the access control policy.

Parent topic: Configure API protection