Dynamic ADI retrieval

Rules can be written requiring ADI that cannot be found in any of the information the ISAM authorization service has access to. In these cases, it is necessary to retrieve the ADI from an outside source. A dynamic ADI entitlement retrieval service can perform this retrieval in real time. The attribute retrieval service, currently provided with WebSEAL, is one type of entitlement retrieval service.

The attribute retrieval service provides communication and format translation services between the WebSEAL entitlement service library and an external provider of authorization decision information. The process flow for the attribute retrieval service is described in the following diagram:

1. The client makes a request for a resource protected by an authorization rule.
2. The authorization rules evaluator, which is part of the authorization service, determines that specific ADI is required to complete the rule evaluation. The ADI requested is not available from the user credential, the authorization service, or WebSEAL.
3. The task of ADI retrieval is sent to the attribute retrieval service through the entitlements service library. This service formats the request for ADI as a SOAP request. The SOAP request is sent over HTTP to the Web Service Description Language (WSDL) interface of the attribute retrieval service.
4. The attribute retrieval service formats the request appropriately for the external provider of ADI.
5. The external provider of ADI returns the appropriate ADI.
6. The ADI is formatted in another SOAP container and returned to the WebSEAL entitlements service. Now the authorization rules evaluator has the necessary information to evaluate the rule and decide Whether to accept or deny the original client request.

The WebSEAL attribute retrieval service is deprecated. IBM might remove this capability in a subsequent release of the product.

Alternatively, we can create and deploy a custom attribute retrieval service. The Security Verify Access Application Development Kit includes a WSDL file to get you started. The file is in the following locations:

AIX®, Linux®, or Solaris

/opt/PolicyDirector/example/amwebars/azn_ent_amwebars.wsdl

Windows

C:\Program Files\Tivoli\Policy Director\example\amwebars\ azn_ent_amwebars.wsdl

For information about creating and deploying web services, see the IBM WebSphere Application Server Information Center at http://publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp.

Parent topic: Authorization decision information retrieval

Related concepts

• Overview of ADI retrieval
• ADI retrieval from the WebSEAL client request
• ADI retrieval from the user credential

Related tasks

• Supply a failure reason across a junction
• Configure WebSEAL to use the attribute retrieval service