6.1.1 Selecting a Policy Type

Access Manager uses the policy type to define the context within which a policy is evaluated. Each policy type differs in purpose that determines conditions and actions. For example, conditions and actions of an Authorization policy differ from conditions and actions of an Identity Injection policy.

When you click New on the Policies page, the system displays the predefined policy types. Each policy type represents a set of available conditions and actions. You then configure rules to determine user roles, make decision requests, and enforce authorization decisions. You can also set up policies with no conditions, allowing actions to always take place. You can make policies simpler and more manageable by designing policies with conditions that deny or restrict access to large groups of users, rather than setting up policies for individual users.

Access Manager has the following policy types:

Type

Description

Access Gateway: Authorization

To permit or deny access to protected resources, such as web servers. After you set up the protected resource, use the policy rules to define how you want to restrict access.

For example, if a user is denied access to a resource, you can use the policy to redirect them to a URL where they can request access to the resource.

Access Gateway: Identity Injection

To evaluate the rules for Identity Injection, which retrieves identity data from a data source (user store) and forwards it to web applications. Such a policy can enable single sign-on (SSO). After the user is authenticated, the policy supplies the information required by the resource rather than allowing the resource to prompt the user for the information.

Access Gateway: Form Fill

To automatically fill in the information required in a form, after the form is filled the first time. Use this policy to configure SSO for resources that require form data and for injecting JavaScript to an HTML page. You can also use this policy for injecting JavaScript to HTML pages.

Identity Server: Roles

To evaluate rules for establishing roles of an authenticated user. Roles are generated based on policy statements each time a user authenticates. Roles are placed into an Authentication Profile, which can be used as input in policies for Authorization or Identity Injection.

Identity Server: External Attribute Source

To create a policy that retrieves the attributes from external sources.