Configuration Guides › Policy Server Configuration Guide › Variables › Variables Overview › Message-based Authorization Using Variables

Message-based Authorization Using Variables

Variables are objects that can be resolved to a value, which you can incorporate into the authorization phase of a request. The value of a variable object is the result of dynamic data and is evaluated at run time.

To make authorization decisions based on the transport header, SOAP envelope header, XML payload, or SAML assertions, you can define specific SOA Security Manager variables and add them to policies in the form of policy expressions. The Policy Server can use a policy expression as an additional criterion when determining if a client should be permitted access to a web service.

SOA Security Manager provides five variables types that represent dynamic, context-sensitive data from any layer (transport, message envelope, or message body) of an XML message. All of these variables can be used in policy expressions.

• SAML Assertion—Lets you obtain information from SAML assertions.
• Transport—Lets you to obtain HTTP header values from the web service request.
• XML Agent—Lets you obtain information about the web server whose resources the SOA Agent is protecting.
• XML Body—Lets you obtain information from any element in the body (or payload) of an incoming XML message.
• XML Envelope Header—Lets you obtain information from any element in the SOAP envelope (including WS‑Security headers) of an incoming XML message.

Once defined, these variables can be used in policy expressions to make authorization decisions. For example, you could define an XML body variable called ShipToZipCode that corresponds to an XML query that obtains the ship-to ZIP code from a purchase order XML document.