Create a policy

Follow the instructions to add attribute checking to an authorization decision:

Steps

  1. A POP must be created and attached to the relevant object in the object space.
  2. An attribute, with the name of ‘eas-trigger' and the value of 'trigger_attr_eas', should be added to the POP to trigger the attribute-based authorization decision.
  3. Attribute rules, with the name of requires, should be added to the POP. For example,

      pdadmin> pop create attr-pop
      pdadmin> pop attach /WebSEAL/ibm.com-default/junction_a attr-pop
      pdadmin> pop modify attr-pop set attribute eas-trigger trigger_attr_eas
      pdadmin> pop modify attr-pop set attribute requires "SCOPE='usr:write' OR SCOPE='usr:admin'"
      pdadmin> pop modify attr-pop set attribute requires "AUTHENTICATION_LEVEL=2"

Parent topic: Use credential attributes in authorization decisions