Runtime security services external authorization service

The runtime security services external authorization service (EAS) provides the policy enforcement point function for context-based access. We can configure the runtime security services EAS to include context-based access decisions as part of the standard authorization on WebSEAL requests. WebSEAL becomes the authorization enforcement point for access to resources that context-based access protects. The runtime security services EAS constructs a request that it sends to the policy decision point (PDP). Based on the policy decision that is received from the PDP, the EAS takes one of the actions listed in the following table.

Action	Description
Permit	Grant access to the protected resource.
Deny	Deny access to the protected resource.
Permit with Authentication	Grant access to the protected resource, after a specific authentication action successfully takes place.
Permit with Obligation	Grant access to the protected resource, after the user successfully authenticates with a secondary challenge.
Deny with Obligation	Deny access to the protected resource, after the user unsuccessfully responds to a secondary challenge.

The following steps set up the initial integration with Advanced Access Control:

1. Configure runtime security services for client certificate authentication.

2. Run the isamcfg tool to automatically update the WebSEAL configuration file and to complete other configuration setup.

3. (Optional) Update the WebSEAL configuration file to:
   • Retain the version 7.0 attribute IDs.
   • Define custom attributes for the authorization service.
   • Map an obligation to a URL.
   • Permit access decisions when runtime security services cannot be contacted.

For information about WebSEAL, see web reverse proxy configuration.

Parent topic: Advanced Access Control configuration