We Have Moved

The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway

The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.

Rules

The gateway can apply authorization rules to incoming requests. These rules can be either:

Defined directly in a policies:authorization entry.
Defined here in the authorization section and reference by name in a policies:authorization entry.

This entry defines authorization rules which can be referred to by name in a policies:authorization entry.

This entry is an array and can be used to specify multiple rules.

Authorization rules are composed of credential attributes and the following operators:

Parenthesis can be used for controlling the order of evaluation.

Examples:

Rule	Description
(any groupIds = "administrator")	Match when the user is in the administrator group.
(all authenticationLevels >= "2")	Match when all credential authenticationLevels are at least level 2.
(attribute_a matches "a(?:bc)*")	Match when the value of the credential attribute "attribute_a" matches the regular expression.
(level >= "2") and (any groupIds = "forbidden")	Match when the credential attribute "level" is at least level 2 and the user is in the forbidden group.
(not exists attribute_c)	Match when the credential does not have an attribute named "attribute_c".
(AZN_CRED_PRINCIPAL_NAME = "user_a")	Match when the credential attribute "AZN_CRED_PRINCIPAL_NAME" is equal to "user_a".

The following table(s) describe the configuration properties for this component:

Name	Type	Constraints	Description
name	string		The name which will be given to this authorization rule.
rule	string		The authorization rule. See the Rule Format table for a description of the expected format.

 authorization:
         rules:
             - name: ruleA
               rule: (any groupIds = "administrator")