6.0 Access Manager Policies

Policies provide the authorization component of Access Manager. The administrator of the Identity Server can use policies to define how properties of a user’s authenticated identity map to the set of active roles for the user. This role definition serves as the starting point for role-based authorization policies of the Access Gateway. Additionally, you can define authorization policies to control access to protected resources based on user and system attributes other than assigned roles.

Policies are very flexible. You can, for example, set up a policy that permits or denies access to a protected Web site, depending on user roles (such as employee or manager), the value of an LDAP attribute, or the user’s IP address.

The Access Gateway includes an Embedded Service Provider agent that interacts with the Identity Server to provide authentication, policy decision, and policy enforcement. For Web application servers, the Access Gateway provides the ability to inject the user’s roles into HTTP headers to allow integration with the Web server’s authorization processes.

This section describes how Access Manager uses policies to assign roles to control access and to enable single sign-on to resources that require credentials. Topics include: