Overview of ADI retrieval
The ISAM authorization rules evaluator performs authorization decisions based on Boolean logic applied to specific authorization decision information (ADI). We can find detailed information about the construction of authorization rules (using Boolean logic) and ADI in the Verify Access Platform and Supporting Components administration
ADI required for rules evaluation can be retrieved from the following sources:
- Authorization decision parameters provided to the authorization rule as ADI by the authorization service.
Parameters include the target resource (protected object) and the requested action on the resource.
- The user credential.
The user credential is always included with the function call to the authorization rules evaluator, so it is immediately available.
- The resource manager environment (application context).
A resource manager, such as WebSEAL, can be configured to provide ADI from its own environment. For example, WebSEAL can provide ADI contained in parts of the client request. A special prefix is used in the authorization rule to "trigger" this type of ADI source.
- An external source through the ISAM attribute retrieval service.
ADI can be obtained externally through the attribute retrieval service. The entitlement service of the resource manager makes a call to the attribute retrieval service. ADI from the external source is returned in XML format to the authorization rules evaluator. The attribute retrieval service is deprecated. IBM might remove this capability in a subsequent release of the product.
Parent topic: Authorization decision information retrieval
Related concepts
- ADI retrieval from the WebSEAL client request
- ADI retrieval from the user credential
- Dynamic ADI retrieval
Related tasks