Create a policy
Follow the instructions to add attribute checking to an authorization decision:
Steps
- A POP must be created and attached to the relevant object in the object space.
- An attribute, with the name of ‘eas-trigger' and the value of 'trigger_attr_eas', should be added to the POP to trigger the attribute-based authorization decision.
- Attribute rules, with the name of requires, should be added to the POP. For example,
pdadmin> pop create attr-pop pdadmin> pop attach /WebSEAL/ibm.com-default/junction_a attr-pop pdadmin> pop modify attr-pop set attribute eas-trigger trigger_attr_eas pdadmin> pop modify attr-pop set attribute requires "SCOPE='usr:write' OR SCOPE='usr:admin'" pdadmin> pop modify attr-pop set attribute requires "AUTHENTICATION_LEVEL=2"
Parent topic: Use credential attributes in authorization decisions