...
In summary, the default constraint allows 0..N values assigned per attribute, single-value allows 0..1 values, required allows 1..N, and the combination of single-value and required allows 1..1 values.
Authorization will not succeed if any of the constraints fail.
Roles
The Roles view presents a simplified view into the authorization policy where the Site Manager is allowed to manage group – role associations. See the Figure 2.
...
Object | Description |
---|---|
Group | Click Group or System name to edit group object |
Update | Edit role field and click Update to update group – role association |
Add | Click Add… to create a new association. By default the name of the group is used for the role name. You can change the role name. Any number of associations can be created. A single group may be associated with any number of roles. |
Remove | Select group check box and click Remove to remove group – role association. |
Attributes
The Attributes view (see Figure 3) presents a more advanced view into the authorization policy.
...
text:<string>
→ the value is <string>user:<name>
→ the value is evaluated by reading the attribute <name> from the user's directory object. For example,user:uid
would return the value of the uid attribute.user:<name>;binary
→ LDAP binary option mechanism (http://www.rfc-editor.org/rfc/rfc2251.txt , Authentication and Authorization Processauthorization process and SSO Management customization → Disabling Context Menu items). The attribute <name> is returned to web applications as Base64 coded string. For example,user:objectGuid;binary
would return value such assFy0xj0cXU6QpjsQRCzG5Q==
.method:<name>
→ the value is evaluated by reading the attribute <name> assigned by the authentication method component. The availability of method attributes depends on the authentication method implementation. For example, the CUSTID attribute is available with the Tupas 2 authentication method.method:CUSTID
would then return the value of the CUSTID attribute from the Tupas 2 authentication process.
Java EL expressions
It is possible to use Java EL expressions in place of attribute values. This enables more complicated techniques available in Java EL syntax for building attribute values, such as concatenation of strings.
...
Note |
---|
Note: In the image above, there's the expression that sets the attribute's name to "role", so an attribute with name "name" would not be defined. |
Applications
This view shows the web applications where this authorization policy is assigned.
...