See wam Menu

Overview of WAM Access Control Rules

The WAM Access Control Rules API enables you to implement custom access control rules based on date, time, business rules, user profile information, database values, and more.

Creating custom access control rules facilitates their centralization, security, and reuse across multiple enterprise resources and applications.

WAM uses access control rules (ACRs) to implement the business logic for controlling access to protected resources. The access control rules provided with the standard WAM distribution include:

  • granted: Used to always grant access to a protected resource.

  • denied: Used to always deny access to a protected resource.

  • confidential: Used to force use of encrypted network protocols, like SSL/TLS.

  • acr: Used to create composite access control rules.

  • auth: Used to require user authentication and constrain access by user roles and principal classes.

  • auth-method: Used to require a specific authentication method.

  • host: Used to constrain the hosts that can access a protected resource by host name or IP address.

  • attr: Used to evaluate access control based on HTTP query parameters.

  • obligation: Used to implement custom access control request routing based on access control evaluations.

  • sql-data: Used to evaluate access control based on SQL database values.

These ACRs are also known as the WAM intrinsic access control rules because they are available for all security domains and cannot be replaced or removed.

If these rules are not sufficient for your needs, you can add new access control rules to WAM that grant or deny access based on the following criteria:

  • Information about the protected resource.

  • Information from an authenticated user’s session, such as user profile information.

  • Information from an external data source.

  • Date, time, system state, or virtually any other criteria that you can think of.

WAM access control rules must be:

  1. Stored as part of a security domain’s access control policy.

  2. Loaded from a security domain’s access control policy.

  3. Removed from persistent access control policy storage.

To support these requirements, you’ll need to create and register a set of classes for each custom access control rule that you create.


Have a Question?

Have a how-to question? Seeing a weird error? Contact us.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.