Policy based authorization allows users to specify authorization rules by sending XCAP requests to create, update, or delete authorization documents.
The authorization policy documents are based on the IETF common policy specification draft-ietf-geopriv-common-policy-11 and the OMA common policy extensions documented in section 5.2.2 of the XDM_Core_V2 specification.
The common policy documents contain a set of rules. Each rule contains three elements: conditions, transformations (not used in IBM® XDMS), and actions (also not supported by IBM XDMS).
The IETF geopriv common policy provides ways to specify the following identities:
The IBM XDMS provides a way to specify authorization policies at various levels of the XCAP URI path hierarchy. The URI and name of the document will determine the access type that it grants. The AUID for authorization policy documents will depend on the AUID of the document being protected.
Access type | Description | Policy Document XCAP URI |
---|---|---|
Global directory | Who has access to all documents in the global directory. | http://xcapHost:xcapPort/services/com.ibm.auid-acls/global/directory.xml |
Global file | Who has access to a specific document in the global directory. | http://xcapHost:xcapPort/services/com.ibm.auid-acls/global/<global_document> |
XUI domain | Who has access to all documents that match an XUI domain/subdomain. The XUI for the domain is specified with the domain scheme such as "domain:<subdomain>." This prevents name collisions with a real user within the XUI. | http://xcapHost:xcapPort/services/com.ibm.auid-acls/users/domain:<subdomain>/directory.xml |
XUI directory | Who has access to all documents in the XUI directory. | http://xcapHost:xcapPort/services/com.ibm.auid-acls/users/XUI/directory.xml |
XUI file | Who has access to a specific document in the XUI directory. | http://xcapHost:xcapPort/services/com.ibm.auid-acsl/users/XUI/XUI_document |
The AUID for authorization policy documents will depend on the AUID of the document being protected. The suggested naming convention is com.ibm.auid-acls. The name of the authorization policy AUID for the resource-lists AUID is com.ibm.resource-lists-acls.
You can create policy documents using any editor you choose.