Airlock IAM as Policy Information Point (PIP)

Airlock IAM acts as Access Policy Information Point and partially Access Policy Decision Point, i.e. it provides information used by the Airlock Gateway (WAF) and takes access decisions (e.g. Step-Up).

Required information

To do so, IAM needs the following information:

  • Roles of users
    • to provide the information to the Airlock Gateway (WAF)
    • to take decisions (e.g. for Step-Up)
  • Target Applications:
    • for step-up authentication (and similar concepts)
    • for identity propagation (not part of the current access control).

Applied to the above example scenario, Airlock IAM roughly holds the following access policy user information:

User

Granted Roles

User1

-

User2

customer + admin

User3

customer

User4

admin

Information storage

The above information is stored in:

  • Roles: user directory (typically the IAM database)
  • Target applications: configuration

Please consult  Securing applications with the JSP-Loginapp for further information about configuration.