Access control for end-users (authorization)

To manage access control Airlock IAM and Airlock Gateway must be integrated and configured correctly.

Access control is important both for the protection of target applications and for the protection of internal services i.e. protected self-services.

For role-based access control, Airlock IAM needs to propagate role information to Airlock Gateway if a user successfully completed an authentication flow.

• To make this work. Airlock IAM and Airlock Gateway interact in this manner:
• Airlock Gateway determines if a user has already acquired all the roles required to access a particular backend application. Airlock Gateway will redirect the user to a particular authentication flow in Airlock IAM if roles are missing.
• Airlock IAM will authenticate the user using the chosen authentication flow. If the flow completes successfully, Airlock IAM will propagate role information to Airlock Gateway and Identity Information for the backend application and redirect the user to the particular backend application.

• This interaction is configured both in Airlock IAM and Airlock Gateway:
• Airlock IAM as Policy Decision Point (PDP)
• Airlock Gateway as Policy Enforcement Point

See also our role-based access control example.

The Airlock IAM Loginapp provides protected self-services to end-users. These services require the end-user to be authenticated.

• Examples of protected self-services:
• Password change self-service.
• Airlock 2FA token management self-service.
• User profile self-service.

To control access to internal services, Airlock IAM supports two mechanisms that can be configured on every individual internal service flow.

• Access control for protected self-services:
• Access Conditions are used to determine if an end-user is permitted to use this particular flow. A long list of plugins is provided for the configuration of access conditions.
  Example: A user that does not have a particular authentication means does not need to be able to order an activation letter for such a device.
• Authorization Conditions are used to determine if an end-user is sufficiently authenticated to use this flow. Tags are used to verify these conditions.
  Example: A user that was only authenticated with a username and password should not be able to use a user profile self-service.

• Internal links:
• See Flows as Airlock IAM concept for a general introduction of the flow concept.
• See Flow tags and red flags for more information about tags.
• See REST API service overview for an overview of the REST API services offered by Airlock IAM.
• See Adminapp REST API for information on the access control of the Admin REST API.
• See Protected self-services for end-users for more information.
• Configuration in the Loginapp UI: Properties Access Condition and Authorization Condition in the protected self-services (Loginapp >> Protected Self-Services).