For the Policy Server to authorize a user to access a resource in a nested realm, the user must be authorized in each realm from the top of the hierarchy to the realm that contains the resource. Once a user is authenticated, the Policy Server checks the policies governing each realm above the resource to make sure the user is authorized. In the previous example, if employee3 wants to access /home/employees/managers/manager.html, the Policy Server verifies that employee3 is authorized in /home, /employees, and finally, /managers.
Once the Policy Server determines that the user is authorized, it collects entitlements for the user from each of the nested realms. Next, the Policy Server processes OnAccessAccept events starting at the top of the realm hierarchy and moving through the longest matching realm. In the previous example, the responses returned by the Policy Server would include employee3's email address, as well as the static response manager=YES.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |