Skip to main content

Defining the Authorization Policy

Introduction

One of the key capabilities of the IBM Application Gateway (IAG) is being able to apply authorization policies to requests, controlling who is able to access your protected resources. A detailed description of the authorization policy concepts is contained in the Authorization page.

Configuration

Rule Definition

Frequently used authorization rules can be defined in the authorization rules YAML node. Once defined these rules can then be referenced within the authorization policy definition itself.

Policy Definition

The authorization policy, which controls who can access the protected resources, can be defined in the authorization policies YAML node.

If no authorization policy is defined the default policy is to:

  1. Allow any authenticated user access, if an identity provider is defined;
  2. Allow any user access (without requiring authentication), if no identity provider is defined.

An example configuration file, which illustrates how to define an authorization policy, is also available in the Authorization example page.