Administer protected object policy settings
We can use the administration API to set, modify, or remove attributes in a POP.
We must create the POP object before you specify POP settings. We can use administration API functions to specify the following POP attributes:
- Authentication levels
- Quality of Protection (QOP) requirements
- Auditing levels
- Time of day access restrictions
- Warning mode settings
Authentication levels specify whether more or alternative authentication is required to access a protected object. The additional authentication is also called step-up authentication. This means that an additional authentication step is required to access resources that require more restrictive access policies. When you use step-up authentication, we can filter users according to their IP addresses, or we can specify step-up authentication for all users, regardless of IP address.
The quality of protection (QOP) level is not enforced internally by Security Verify Access. Applications that set the quality of protection can enforce it.
Audit levels specify what operations generate an audit record. This value is used internally by Security Verify Access and also can be used by applications to generate their audit records. The time of day access setting is used to control access to a protected object based on the time when the access occurs. When we modify a protected object policy, we must provide a list of days, start time, and end time. The start time and end time apply to each day on the list. If the specified start time is greater than the specified end time, then the access is allowed until the specified end time of the next day.
The warning mode enables a security administrator to troubleshoot the authorization policy set on the protected object space.
When you set the warning attribute to yes, any action is possible by any user on the object where the POP is attached. Any object can be accessed even if the ACL policy attached to the object is set to deny this access.
Audit records are generated that capture the results of all ACL policies with warning mode set throughout the object space. The audit log shows the outcome of an authorization decision as it is made if the warning attribute is set to no.
Table 1 lists the methods for administering protected object policy settings.
Methods Description PDPop object.getIPAuthInfo Returns the IP authentication level information from the specified POP. PDPop object.getAuditLevel Returns the audit level for the specified POP. PDPop object.getQOP Returns the quality of protection (QOP) level for the specified POP. PDPop object.getTodAccessInfo Returns the time of day range for the specified POP. PDPop object.getWarningMode Returns the warning mode value from the specified POP. PDPop.removeIPAuthInfo
PDPop object.removeIPAuthInfoRemoves the specified IP authentication level information from the specified POP. PDPop.setIPAuthInfo
PDPop object.setIPAuthInfoSets the IP authentication level information for the specified POP. PDPop.setAuditLevel
PDPop object.setAuditLevelSets the audit level for the specified POP. PDPop.setDescription
PDPop object.setDescriptionSets the description of the specified POP. PDPop.setQOP
PDPop object.setQOPSets the quality of protection level for the specified POP. PDPop.setTodAccessInfo
PDPop object.setTodAccessInfoSets the time of day range for the specified POP. PDPop.setWarningMode
PDPop object.setWarningModeSets the warning mode for the specified POP. For detailed reference information about these methods, see the Javadoc HTML documentation.
Parent topic: Administer protected object policies