WebSphere brand IBM WebSphere XML Document Management Server, Version 7.0

Policy based authorization

Policy based authorization allows users to specify authorization rules by sending XCAP requests to create, update, or delete authorization documents.

The authorization policy documents are based on the IETF common policy specification draft-ietf-geopriv-common-policy-11 and the OMA common policy extensions documented in section 5.2.2 of the XDM_Core_V2 specification.

The common policy documents contain a set of rules. Each rule contains three elements: conditions, transformations (not used in IBM® XDMS), and actions (also not supported by IBM XDMS).

The IETF geopriv common policy provides ways to specify the following identities:

The OMA XDM Core extends the conditions element to allow references besides the identity element:

The IBM XDMS provides a way to specify authorization policies at various levels of the XCAP URI path hierarchy. The URI and name of the document will determine the access type that it grants. The AUID for authorization policy documents will depend on the AUID of the document being protected.

Here are the various levels where authorization policies can be applied:
Table 1. Access levels for authorization policies
Access type Description Policy Document XCAP URI
Global directory Who has access to all documents in the global directory. http://xcapHost:xcapPort/services/com.ibm.auid-acls/global/directory.xml
Global file Who has access to a specific document in the global directory. http://xcapHost:xcapPort/services/com.ibm.auid-acls/global/<global_document>
XUI domain Who has access to all documents that match an XUI domain/subdomain. The XUI for the domain is specified with the domain scheme such as "domain:<subdomain>." This prevents name collisions with a real user within the XUI. http://xcapHost:xcapPort/services/com.ibm.auid-acls/users/domain:<subdomain>/directory.xml
XUI directory Who has access to all documents in the XUI directory. http://xcapHost:xcapPort/services/com.ibm.auid-acls/users/XUI/directory.xml
XUI file Who has access to a specific document in the XUI directory. http://xcapHost:xcapPort/services/com.ibm.auid-acsl/users/XUI/XUI_document

The AUID for authorization policy documents will depend on the AUID of the document being protected. The suggested naming convention is com.ibm.auid-acls. The name of the authorization policy AUID for the resource-lists AUID is com.ibm.resource-lists-acls.

The IBM authorization policy includes a schema that describes the special authorization rules that are allowed for an authorization policy. The rule attribute id describes the access levels and can contain the following attribute values:
The following elements are listed in the Open Mobile Alliance specifications for policy documents but are not supported by the IBM XDMS:

You can create policy documents using any editor you choose.




Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.