We Have Moved
The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway
The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.
The gateway can apply authorization rules to incoming requests. These rules can be either:
- Defined directly in a policies:authorization entry.
- Defined here in the authorization section and reference by name in a policies:authorization entry.
This entry defines authorization rules which can be referred to by name in a policies:authorization entry.
This entry is an array and can be used to specify multiple rules.
Authorization rules are composed of credential attributes and the following operators:
|logical operators||and, or, not|
|multi-valued operators||any, all|
|relational operators||=, !=, matches, >, >=, <, <=, exists|
Parenthesis can be used for controlling the order of evaluation.
|(any groupIds = "administrator")||Match when the user is in the administrator group.|
|(all authenticationLevels >= "2")||Match when all credential authenticationLevels are at least level 2.|
|(attribute_a matches "a(?:bc)*")||Match when the value of the credential attribute "attribute_a" matches the regular expression.|
|(level >= "2") and (any groupIds = "forbidden")||Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group.|
|(not exists attribute_c)||Match when the credential does not have an attribute named "attribute_c".|
|(AZN_CRED_PRINCIPAL_NAME = "user_a")||Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a".|
The following table(s) describe the configuration properties for this component:
|name||string||The name which will be given to this authorization rule.
|rule||string||The authorization rule. See the Rule Format table for a description of the expected format.
authorization: rules: - name: ruleA rule: (any groupIds = "administrator")