Use credential attributes in authorization decisions
The protected object policy (POP) attribute, requires, can be used to define rules which extends the authorization decision based on the contents of credential attributes.
The requires POP attribute is used to determine whether access will be granted to a requested resource. When an ACL check for a resource succeeds, the POP is checked. If a POP with the requires attribute exists, and the attributes contained within the credential do not match the supplied attribute authorization rules, the request is denied.
Rule Format
The format of the rule is: “<cred attr name>=<cred attr value> { OR <cred attr name>=<cred attr value>} { OR … }”. The credential attribute value must be surrounded by single or double quotes if the value contains any spaces. A single condition within the attribute must match in order for the rule to pass. For example:requires: SCOPE='usr:write' OR SCOPE='usr:admin' OR AZN_CRED_AUTH_METHOD='password'
In this example, in order for the authorization decision to succeed, the user credential must contain a scope with 'usr:write' or 'usr:admin' or must contain an authentication method of ‘password’. The requires attribute can be specified multiple times. The evaluation of each individual rule must pass in order for access to be granted. In other words, each instance of the requires attribute is a separate ‘and’ condition. For example, if 2 requires attributes are added to the POP:
requires: SCOPE='usr:write' OR SCOPE='usr:admin' requires: AUTHENTICATION_LEVEL='2'
In this example, in order for the authorization decision to succeed, the user credential must contain a scope with a value of ‘usr:write’ or ‘usr:admin’ AND must also have an authentication level of 2.
- Create a policy
Follow the instructions to add attribute checking to an authorization decision:- Troubleshoot
Trace information for the rule evaluation is provided through the standard Security Verify Access tracing mechanism.
Parent topic: WebSEAL-specific ACL policies