Presence authorization rules offer a highly flexible way for presentities to control who can access their presence information and what parts of the information are exposed.
Because presence information is sensitive, it is often a good practice to require authorization from a presentity (user) before the user's presence information can be sent to other subscribers. Presence authorization rules, using the format defined by IETF RFC 4745 and RFC 5025, give presentities a great deal of flexibility in controlling who has access to their presence information and what parts of the presence information are exposed.
Using authorization rules, Presence Server can evaluate every incoming SIP request and determine whether to allow the request. The request can either be allowed, polite-blocked, blocked, in a pending state awaiting confirmation that the sender is authorized, or in an undefined state. In each case an appropriate notification is returned to the sender.
The following illustration shows how one presentity (Bob) can use presence authorization rules determine the degree to which others can access his presence information. As he monitors watcher information, Bob can adjust his authorization rules as needed to extend to new watchers.
Samples for presence authorization rules, including conditions, actions, and transformations, are found in sections 6 and 7 of the IETF standard, Presence Authorization Rules (RFC 5025).
To configure Presence Server so that it uses authorization rules, ensure that WebSphere® Application Server Network Deployment application security is enabled. Then edit the SystemConfiguration.xml file and set enable="true" on the presenceRules tag. See the topic Configuring authorization for more details.
Note that, even when presence authorization rules are enabled, they can be overridden by white-list and black-list definitions. When white-list and black-list definitions are enabled, requests from subscribers on the white-list are always allowed, and requests from subscribers on the black-list are always blocked–regardless of what is specified in the authorization rules.
As an alternative to authorization rules, you can develop custom authorization policies using the APIs provided as part of Presence Server. See the topic Extending Presence Server authorization.
For details about how Presence Server handles authentication and authorization for SIP requests, see the topic Authentication Security.