Protected object policy management

Edit online

The access control list (ACL) policies provide the authorization service with information to make a yes or no answer on a request to access a protected object and do some operation on that object. A protected object policy (POP) contains additional conditions on the request. The conditions are passed back to the resource manager along with the yes ACL policy decision from the authorization service.

It is the responsibility of Security Verify Access and the resource manager to enforce the POP conditions.

Table 1 lists the available attributes for a POP that are provided by Security Verify Access.
Table 1. POP attributes that Security Verify Access provides
POP attribute Description
Name Specifies the name of the policy. This attribute relates to the pop-name variable in the pop command documentation.
Description Specifies the descriptive text for the policy. This attribute occurs in the pop show command.
Warning mode Provides administrators a means to test ACLs, POPs, and authorization rules. Warning mode provides a way to test the security policy before it is made active.
Audit level Specifies the type of auditing: all, none, successful access, denied access, or errors. Audit level informs the authorizations service that extra services are required when permitting access to the object.
Time-of-day Access Day and time restrictions for successful access to the protected object. Time-of-day places restrictions on the access to the object.
IP endpoint authorization method policy Specifies authorization requirements for access from members of external networks. The IP endpoint authentication method policy places restrictions on the access to the object.
EAS trigger attributes Specifies an External Authorization Service (EAS) plug-in that is started to make an authorization decision with the externalized policy logic of the customer.
Quality of Protection Specifies the degree of data protection: none, integrity, or privacy. Quality of Protection informs the authorizations service that extra services are required when permitting access to the object.
Although Security Verify Access provides these POP attributes, it enforces only the following attributes:
  • Name
  • Description
  • Warning mode
  • Audit level
  • Time-of-day Access
Each resource manager or plug-in can optionally enforce one or more of the following attributes:
  • IP endpoint authorization method policy
  • EAS trigger attributes
  • Quality of Protection
For Security Verify Access IP address support:
  • You can grant access to a protected resource based on the IP address that is used by the identity. For example, only users from IP address 9.18.n.n are allowed to access the protected resource.
  • You can define that an additional authentication level is required to access this protected resource based on the IP address that is used by the identity. The step-up level authentication is described in Configure levels for step-up authentication and the IBM Security Verify Access for Web: WebSEAL Administration Guide.