Policies provide the authorization component of Access Manager. The administrator of Identity Server can use policies to define how properties of a user’s authenticated identity map to the set of active roles for the user. This role definition serves as the starting point for role-based authorization policies of Access Gateway. Additionally, you can define authorization policies to control access to protected resources based on user and system attributes other than assigned roles.
Policies are very flexible. For example, you can set up a policy that allows or denies access to a protected website, depending on user roles (such as employee or manager), the value of an LDAP attribute, or the user’s IP address.
Access Gateway includes an Embedded Service Provider agent that interacts with Identity Server to provide authentication, policy decision, and policy enforcement. For web application servers, Access Gateway provides the ability to inject the user’s roles into HTTP headers to allow integration with the web server’s authorization processes.
This section describes how Access Manager uses policies to assign roles to control access and to enable single sign-on to resources that require credentials.