Previous Topic: Variables OverviewNext Topic: Create a SAML Assertion Variable


Message-based Authorization Using Variables

Variables are objects that can be resolved to a value, which you can incorporate into the authorization phase of a request. The value of a variable object is the result of dynamic data and is evaluated at run time.

To make authorization decisions based on the transport header, SOAP envelope header, XML payload, or SAML assertions, you can define specific CA SiteMinder® Web Services Security variables and add them to policies in the form of policy expressions. The Policy Server can use a policy expression as an additional criterion when determining if a client should be permitted access to a web service.

Note: Variables can only be used in policy expressions when using traditional (policy domain-based) policy management. They are not available when using enterprise (application-based) policy management.

CA SiteMinder® Web Services Security provides five variables types that represent dynamic, context-sensitive data from any layer (transport, message envelope, or message body) of an XML message. All of these variables can be used in policy expressions.

Once defined, these variables can be used in policy expressions to make authorization decisions. For example, you could define an XML body variable called ShipToZipCode that corresponds to an XML query that obtains the ship-to ZIP code from a purchase order XML document. Variables can also be used in responses.

Variable Use in Responses

Variables can be used in responses. When you define variable objects in the Administrative UI, you can use those variables in responses. The value of the response is created at runtime by the Policy Server as it resolves the value of a variable object.

Create a Variable

You create a variable to make it available for use in policies or responses. Variables are domain objects. You create them within a specific policy domain, or import them into a domain using the smobjimport tool.

More information about importing objects into policy domains exists in the Policy Server Administration guide.

More information:

Domains