A Data, Service, or a System component.
Examples : a HTTP URL, a Servlet, a Portlet, a POJO (Plain Old Java Object), a Java Method, a Java Field, etc
An operation on a resource.
Examples : CRUD (Create, Read, Update, Delete), HTTP GET, HTTP POST, PORTLET VIEW, PORTLET ACTION, etc
The set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource, or action.
Examples : Current Date and/or Time, Application Data in a HTTP Session, the parameters passed to a Java method call, etc
A characteristic of a Resource, Action, Subject or Environment which is referenced within a Policy Rule or a Policy Target. Attributes are runtime information which are presented with an Authorization Context during Enforcement. Within the policy definition, conditions, logic, and target matching are applied to information referenced by Attributes. The concept of Attributes allows Authorization to be flexible and allows including arbitrary runtime information during the decision process.
Resource Examples : Unique URI, Resource Id, File Name, etc
Action Examples : CRUD (Create, Read, Update, Delete), HTTP GET, HTTP POST, etc
Subject Examples : Username, Roles for this User, IP Address, Authentication Method, Authentication Time, etc
Environment Examples : Current Date and/or Time, etc
A security policy consisting of a target and multiple rules. An Enterprise application will have multiple policies stored in the system. Enforcement requests are evaluated by applying the logic specified within these policies. A Policy Evaluation results in a Permit or Deny State.
The set of Enforcement requests identified by policy definitions of Resource, Subject, and Action that a Policy or a Rule is intended to evalute. Simply put, Target definition consists of logic that determines whether a particular Policy or Rule should be evaluated for the incoming Enforcement request.
A Policy Component which consists of the following:
Target : To determine if the Rule should be evaluated for the incoming Enforcement request.
Expression : Encapsulates the Logic that must be evaluated resulting in a Boolean (true|false) result.
Effect : Decides what to do (Permit or Deny), if this Rule evaluates to true.