Authorization policies let Identity Cloud determine whether to grant a subject access to a resource.
A policy defines the following:
The resource to which access is restricted, such as a web page, a mobile app, or a boarding area in an airport.
The verbs that describe what users can do to the resource, such as read a web page, submit a web form, or access a boarding area.
- subject conditions
Who the policy applies to, such as all authenticated users, only administrators, or only passengers with valid tickets for planes leaving soon.
- environment conditions
The circumstances under which the policy applies, such as only during work hours, only when accessing from a specific IP address, or only when the flight is scheduled to leave within the next four hours.
- response attributes
Information that Identity Cloud attaches to a response following a policy decision, such as a name, email address, or frequent flyer status.
|Policy conditions don’t determine the outcome of the policy but determine whether a specific policy is applicable and whether its actions should contribute towards the overall policy decision. If a condition fails (due to authentication failure, for example), Identity Cloud disregards the corresponding policy and assesses any other configured policies to make the authorization decision.