Network-based authorization policy

Use the network-based authorization policy to control access to objects based on the IP address of the user. When an environment contains both IP version 4 (IPv4) and IP version 6 (IPv6) address formats, be aware of the following restrictions:

For an IPv6 address to be accepted (commands, C APIs, and Java methods), the server must be IPv6. We cannot provide an IPv6 address to an IPv4 server.

The network-based authorization policy is set in the IP endpoint authentication method attribute of a POP. We can use this functionality to prevent specific IP addresses or IP address ranges from accessing any resources in the domain. When setting an authorization policy, we can apply requisite step-up configuration. When we define a network-based authentication policy, specify these parts of the attribute:

We can also apply step-up authentication configuration to this policy and require a specific authentication method for each specified IP address range. See Step-up authentication. The IP address used by the resource manager for enforcing the network-based authorization policy must be the IP address of the originator of the connection.

In this case, the resource manager cannot definitively identify the true IP address of the client. When setting a network-based authorization policy that depends on specific client IP addresses, ensure that those network clients are connecting directly to the resource manager.

Parent topic: Protected object policy management